Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet.
Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services.
The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks.
These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster.
Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients.
Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.”
Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post.
“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.
“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.”
Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients.
“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said.
Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case.
For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers.
“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said.
The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.
