Original Post: Breaking caches and bypassing Istio RBAC with HTTP response header injection
The article discusses the expansion of research into WebSocket-related attacks, branching out from earlier work on WebSocket Hijacking. It introduces novel attack methods against HTTP application middleware, focusing on HTTP response header injection vulnerabilities. Two primary attack scenarios are detailed:
-
NGINX Cache Manipulation:
- An HTTP response header injection vulnerability can manipulate caching behaviors in NGINX.
- An attacker could force NGINX to cache pages improperly, leading to unauthorized data exposure or helpful phishing attacks by combining it with vulnerabilities like Host header injection.
- WebSocket Smuggling and Kubernetes Istio RBAC Bypass:
- WebSocket smuggling involves tricking a reverse proxy like Envoy (underpinning Istio) into misinterpreting HTTP requests as upgraded WebSocket connections.
- This allows an attacker to bypass role-based access control (RBAC) mechanisms in Kubernetes Istio, thereby accessing restricted application paths.
The post also covers practical aspects of these attacks, such as cache manipulation and bypassing RBAC, detailing the methodological steps and illustrating them with code samples and visual aids.
Mitigations:
- Ensure applications do not contain HTTP response header injection vulnerabilities.
- Utilize Snyk Code for identifying and advising on remediation for these types of vulnerabilities.
- Disable unnecessary functionalities, like WebSocket support, in middleware to reduce the risk of such exploits.
Envoy has implemented patches for the described vulnerability, ensuring only correct response codes (101) trigger protocol switches. These patches are available in specific Envoy versions, providing an additional layer of security.
Go here to read the Original Post