The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Back To Schedule
Thursday, January 24 • 9:40am - 10:30am
Cache Me If You Can: Messing with Web Caching

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
As application security gained in popularity and maturity, attackers and researchers have turned to more creative methods for exploiting web applications. In 2017, security researcher Omer Gil introduced the Web Cache Deception attack. This attack, while trivial to understand and leverage, showed the potential of attacking caching mechanisms instead of targeting the application itself in order to extract sensitive information. In 2018, GoSecure introduced a new class of attack known as Edge Side Include Injections, exploiting a design flaw introduced nearly two decades ago in popular caching servers and cache providing solutions. Again in 2018, James Kettle released his research on Web Cache Poisoning, which leverages unkeyed input to reflect arbitrary data in an HTTP response in order to get a cross-site-scripting payload cached across users.

The findings from this research show the obvious flaws we failed to identify in caching specifications for so long. This talk aims to be a precautionary tale for the next time you need to implement a web caching solution by providing a practical overview of caching attacks in web applications. We'll look at attacks targeting both modern and legacy web applications, how to detect these design oversights and leverage them, and more importantly how to mitigate them.

avatar for Louis Dion-Marcil

Louis Dion-Marcil

Information Security Analyst
Louis Dion-Marcil is a consultant working for Mandiant. He specializes in offensive appsec and pentesting medium to large scale organizations. A seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. His prior... Read More →

Thursday January 24, 2019 9:40am - 10:30am PST
Club Room