Friday, July 27, 2007

Temporal Cache Poisoning (IExplorer and Firefox) = Feature?

While making estigma's function EditHTML() (a WYSIWYG editor), I realized that the code modified, will stay on cache, until you close the browser, or exit the website and enter again.

At the time, I was too busy to check it deeply, and I guessed it has something to do with the removeNode function I was using.. Any way, yesterday I retook the investigation, and it appears that the only thing you need for modifying the cached version of a website, is to access:


Using the javascript: URI, in the target webpage.

This was very interesting, because that meant, that you could modify the cached version of any webpage in a domain that you have access, so for example if a website has a XSS bug in any place of the website..

It will be able to modify the cached version.

This will be done in a very simple way, I've uploaded a PoC, so you can test it in any website using..
<script src="//"

This code, will open a window, to the current directory index, and 5 seconds later, it will modify the cached version of the webpage.

Once you enter that website, and hit refresh, the content won't change, because the cached version of the website is the one generated by the javascript code.

As I was investigating this, Mario Heiderich explained me that this type of attack, may be used for confusing siteoweners to obfuscate the real attack like reporting a minor vuln to draw attention while exploiting the grave flaw.

Any way, while talking about this with Giorgio Maone, this (apparently) is the browser's desired behavior (to save the javascript generated code in the cache), so this is not a bug, it's a feature!.

The impact has already been explained by Mario Heiderich, and another (possible attack), could be to make a fake deface to a website index, any way, I'm impressed that this is actually what the web browser wants.