How it works?

1) HTTP cache poisoning

We found two forms of HTTP cache poisoning attacks against shared, transparent caches, and one form against CDN cache.

a) General cache poisoning attack against transparent cache(Squid)

We have demonstrated this attack for Squid-3.5.12, enabling cache poisoning of any unencrypted HTTP website. The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache(Squid 3.5.12). Note that attackers can readily obtain the necessary vantage point using techniques such as web ads. Squid has fixed this problem after our report. (You can also watch all the videos on Youtube.)

b) Exploiting co-hosting to launch attacks against transparent caches (Apache Traffic Server)

The second form exploits the situation where an attacker can obtain a web site hosted on the same server as a target web site, and the hosting server “cooperates” with a transparent cache to enable cache poisoning. Many co-hosting services such as Content Delivery Networks (CDNs) facilitate this attack. We have demonstrated this exploit on an Apache Traffic Server (ATS) 6.1.1, poisoning its cache of sites hosted on Akamai.

c) Exploiting co-hosting to launch attacks against Akamai CDN caches

The attack is different with the second form. It poisons Akamai CDN cache when a Squid proxy resides between Akamai CDN and victim's origin server. We have demonstrated this exploit on Akamai CDN. Akamai has fixed this problem after our report.

2) Filter bypass

Attackers can also use Host of Troubles vulnerabilities to evade network controls provided by firewalls.

a) Bypass parental control features of Windows 8.1

We have demonstrated this attack by bypassing the Parental Control of Windows 8.1, a host-based firewall, by issuing the following request, which is sent to a server for “block.com”:

GET http://www.allow.com/ HTTP/1.1 Host: www.block.com

Apart from host-based firewalls, the evasion techniques can also be used to bypass network-based firewalls.