Dark Reading

10 Emerging Threats Every Enterprise Should Know About

Issue link: http://dc.ubm-us.com/i/1013729

Contents of this Issue


Page 16 of 16

darkreading.com | insecurity.com August 2018 17 New Hack Weaponizes the Web Cache into behaving in an unsavory way without directly targeting it. It basically works like this: Kettle sends a request to the website with his payload. "The website then replies with something potentially dangerous ... and the cache takes that, so then anyone who visits after that gets hit by the exploit," he says. Web caches sit in front of websites and serve up stored content rather than all of the delivery coming via the live website. Kettle says the complexity of those caches and content-delivery networks built around many of today's web applications can actually leave them open to abuse. Previous research in web cache security has encom- passed injecting headers or tricking the cache into saving and sharing sensitive data, Kettle says. His attack differs because it forces the cache to serve up exploits to website visitors, he notes. An attacker could use it to plant malware that steals passwords or payment-card information from a website when visitors came to the site. The attack could also be employed to deface a website or redirect a visitor to a malicious site. Firefox Botnet With Firefox, Kettle employed his cache-poisoning attack against the infrastructure behind the browser that checks for and sends application and plug-in updates as well as URLs of dangerous websites to block, for example. "I found by accident ... that I was able to use cache poisoning to effectively input" some limited commands to Firefox browser users worldwide, he says. "If you opened Firefox, I got control of it." Mozilla fixed the flaw within 24 hours of his reporting it, in a January 25 update. When Firefox starts up, it sends a request to the Mozilla infrastructure for updates and other informa- tion. "By using cache poisoning, I could control the response to that message," Kettle says. That could allow an attacker to install certain extensions and corral Firefox browsers into a botnet to wage distributed deni- al-of-service (DDoS) attacks, for example. Kettle says abusing the Firefox flaw alone would be less useful to an attacker than chaining an attack with another exploit and gaining full control of the browsers. As of publication, Mozilla had not responded to a request for comment on Kettle's research. n Kelly Jackson Higgins is Executive Editor at Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications. Write to her at kelly.jackson.higgins@ubm.com. Next Previous

Articles in this issue

Links on this page

view archives of Dark Reading - 10 Emerging Threats Every Enterprise Should Know About