Social Network For Security Executives: Help Make Right Cyber Security Decisions
When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.
Louis Dion-Marcil is a Security Analyst working at GoSecure in Montreal, where he specializes in offensive appsec and pentest on medium to large scale organizations. A seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions. Having recently obtained his software engineering degree, he dabbles in various research engagements between pentests.