Add Web Cache Deception QHelp and Example Code Snippet for Vulnerable and Fixed Version

Yunus AYDIN · Yunus AYDIN · commit 4317e584144a · 2023-11-13T23:54:29.000+03:00
diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp b/go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Web Cache Deception is a security vulnerability where an attacker tricks a web server into caching sensitive information and then accesses that cached data.
+        </p>
+        <p>
+            This attack exploits certain behaviors in caching mechanisms by requesting URLs that trick the server into thinking that a non-cachable page is cachable. If a user then accesses sensitive information on these pages, it could be cached and later retrieved by the attacker.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            To prevent Web Cache Deception attacks, web applications should clearly define cacheable and non-cacheable resources. Implementing strict cache controls and validating requested URLs can mitigate the risk of sensitive data being cached.
+        </p>
+    </recommendation>
+    <example>
+        <p>
+            Vulnerable code example: A web server is configured to cache all responses ending in '.css'. An attacker requests 'profile.css', and the server processes 'profile', a sensitive page, and caches it.
+        </p>
+        <sample src="WebCacheDeceptionBad.go" />
+    </example>
+    <example>
+        <p>
+            Secure code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="WebCacheDeceptionGood.go" />
+    </example>
+    <references>
+        <li>
+            OWASP Web Cache Deception Attack:
+            <a href="https://owasp.org/www-community/attacks/Web_Cache_Deception">Understanding Web Cache Deception Attacks</a>
+        </li>
+        <!-- Additional references can be added here -->
+    </references>
+</qhelp>
diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeceptionBad.go b/go/ql/src/experimental/CWE-525/WebCacheDeceptionBad.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+var sessionMap = make(map[string]string)
+
+var (
+	templateCache = make(map[string]*template.Template)
+	mutex         = &sync.Mutex{}
+)
+
+type Lists struct {
+	Uid       string
+	UserName  string
+	UserLists []string
+	ReadFile  func(filename string) string
+}
+
+func parseTemplateFile(templateName string, tmplFile string) (*template.Template, error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	// Check if the template is already cached
+	if cachedTemplate, ok := templateCache[templateName]; ok {
+		fmt.Println("cached")
+		return cachedTemplate, nil
+	}
+
+	// Parse and store the template in the cache
+	parsedTemplate, _ := template.ParseFiles(tmplFile)
+	fmt.Println("not cached")
+
+	templateCache[templateName] = parsedTemplate
+	return parsedTemplate, nil
+}
+
+func ShowAdminPageCache(w http.ResponseWriter, r *http.Request) {
+
+	if r.Method == "GET" {
+		fmt.Println("cache called")
+		sessionMap[r.RequestURI] = "admin"
+
+		// Check if a session value exists
+		if _, ok := sessionMap[r.RequestURI]; ok {
+			cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + "admin" + "\");'"
+
+			// mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in ("test");--';echo");'
+			fmt.Println(cmd)
+
+			res, err := exec.Command("sh", "-c", cmd).Output()
+			if err != nil {
+				fmt.Println("err : ", err)
+			}
+
+			splitedRes := strings.Split(string(res), "\n")
+
+			p := Lists{Uid: "1", UserName: "admin", UserLists: splitedRes}
+
+			parsedTemplate, _ := parseTemplateFile("page", "./views/admin/userlists.gtpl")
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			err = parsedTemplate.Execute(w, p)
+		}
+	} else {
+		http.NotFound(w, nil)
+	}
+
+}
+
+func main() {
+	var portNum = flag.String("p", "80", "Specify application server listening port")
+	flag.Parse()
+	fmt.Println("Vulnapp server listening : " + *portNum)
+
+	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
+
+	http.HandleFunc("/adminusers/", ShowAdminPageCache)
+	err := http.ListenAndServe(":"+*portNum, nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}
diff --git a/go/ql/src/experimental/CWE-525/WebCacheDeceptionGood.go b/go/ql/src/experimental/CWE-525/WebCacheDeceptionGood.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+var sessionMap = make(map[string]string)
+
+var (
+	templateCache = make(map[string]*template.Template)
+	mutex         = &sync.Mutex{}
+)
+
+type Lists struct {
+	Uid       string
+	UserName  string
+	UserLists []string
+	ReadFile  func(filename string) string
+}
+
+func parseTemplateFile(templateName string, tmplFile string) (*template.Template, error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	// Check if the template is already cached
+	if cachedTemplate, ok := templateCache[templateName]; ok {
+		fmt.Println("cached")
+		return cachedTemplate, nil
+	}
+
+	// Parse and store the template in the cache
+	parsedTemplate, _ := template.ParseFiles(tmplFile)
+	fmt.Println("not cached")
+
+	templateCache[templateName] = parsedTemplate
+	return parsedTemplate, nil
+}
+
+func ShowAdminPageCache(w http.ResponseWriter, r *http.Request) {
+
+	if r.Method == "GET" {
+		fmt.Println("cache called")
+		sessionMap[r.RequestURI] = "admin"
+
+		// Check if a session value exists
+		if _, ok := sessionMap[r.RequestURI]; ok {
+			cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + "admin" + "\");'"
+
+			// mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in ("test");--';echo");'
+			fmt.Println(cmd)
+
+			res, err := exec.Command("sh", "-c", cmd).Output()
+			if err != nil {
+				fmt.Println("err : ", err)
+			}
+
+			splitedRes := strings.Split(string(res), "\n")
+
+			p := Lists{Uid: "1", UserName: "admin", UserLists: splitedRes}
+
+			parsedTemplate, _ := parseTemplateFile("page", "./views/admin/userlists.gtpl")
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			err = parsedTemplate.Execute(w, p)
+		}
+	} else {
+		http.NotFound(w, nil)
+	}
+
+}
+
+func main() {
+	var portNum = flag.String("p", "80", "Specify application server listening port")
+	flag.Parse()
+	fmt.Println("Vulnapp server listening : " + *portNum)
+
+	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
+	http.HandleFunc("/adminusers", ShowAdminPageCache)
+
+	err := http.ListenAndServe(":"+*portNum, nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}
