[WEB SECURITY] The true power of cache

MustLive mustlive at websecurity.com.ua
Sun Feb 7 15:29:05 EST 2010


Hello participants of Mailing List.

As I wrote last week in my article The true power of cache 
(http://websecurity.com.ua/3907/), the cache of search engines can be useful 
tool in skilful hands. There are many possibilities of using of cache for 
hackers.

Possibilities of cache of search engines:

1. Search for vulnerabilities of the site in cache.
2. Search for vulnerabilities of the site in snippet.
3. There are no records in the site's logs.
4. Bypassing of restrictions on access to the site.
5. Existence of vulnerabilities in cache.
6. It's always possible to retrieve information from the site.
7. Finding out of the last time, when the site was working.
8. Finding out of the time, when the site was hacked.
9. Malware spreading.

Search for vulnerabilities of the site in cache.

It's possible to find vulnerabilities of the site in cache of search engine, 
e.g. Full path disclosure and other Information Leakage vulnerabilities, 
which were already fixed at the site. Particularly I found such 
vulnerability at www.stat24.com.ua (http://websecurity.com.ua/1939/).

I.e. the cache allows to bypass this fixing of vulnerabilities (for some 
time). So it's better to not allow information leakages ;-), because even 
fixing of holes will not help immediately, it'll be needed also to wait for 
updating of the cache in search engines. Such case took place at Twitter 
(http://websecurity.com.ua/3283/).

Search for vulnerabilities of the site in snippet.

It's possible to find vulnerabilities of the site in snippets of search 
engine (data from cache, which show in search results), e.g. Full path 
disclosure and other Information Leakage vulnerabilities, which were already 
fixed at the site.

There are no records in the site's logs.

If it's needed to get information from the site, but don't want to leave 
records in the logs (about visiting of the site), then it's possible to get 
information from cache. And so didn't leave a trace. But it's only possible 
at turned off graphics and plugins (or with using of Google's "text" cache), 
so there will be no referrers from cache of search engine during access to 
images and other embedded files which are placed at the site.

Bypassing of restrictions on access to the site.

If access to the site is restricted for you (by IP), but access is allowed 
for bots of search engines, then it's possible to get information from cache 
of search engine.

Existence of vulnerabilities in cache.

Also there can be vulnerabilities in cache of search engines itself. 
Particularly I found XSS vulnerability in Yandex 
(http://websecurity.com.ua/1698/), which took place in cache of search 
engine.

It's always possible to retrieve information from the site.

It's possible to retrieve information from the site even if it doesn't work 
at the moment (stopped working completely or temporarily, e.g. in result of 
attack).

Finding out of the last time, when the site was working.

When the site stopped working (e.g. in result of DDoS attack), then it's 
possible to find out with help of cache when last time the bot of search 
engine, e.g. Google, came to the site. And thereafter the last time when the 
site was working.

Finding out of the time, when the site was hacked.

For my researches of hacked sites (http://websecurity.com.ua/3897/) I'm 
using Google, and thereafter in cache of search engine I find out date when 
the site was hacked. And even if admins of the site already removed deface, 
anyway I'll reveal via cache, that the site was hacked.

Malware spreading.

If search engine will put in its cache a page of the site with malware, then 
all who visit this cache will be attacked, just as at visiting of this site. 
And it'll be possible, e.g. to send links to cache of search engine by 
email, to use its name for increasing of number of people, which will go 
over these links.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list