Recently, security researcher Iustin Ladunca (Youstin) conducted research on many websites, including some high-traffic online services, and found 70 cache poisoning vulnerabilities with different effects.
Web cache poisoning attacks target intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers. Intermediaries help improve website performance by storing local versions of web content to speed delivery to web clients. Web cache poisoning attacks manipulate the behavior of cache servers and how they respond to specific URL requests from clients.
Ladunca claims to have been researching web cache poisoning since November 2020, and said:
"Just a few weeks later, I discovered two new cache poisoning vulnerabilities, which made me realize how big the attack surface of cache poisoning is." In a blog post by Ladunca, he details how he discovered and reported them Web cache vulnerabilities, including Apache Traffic Server, GitHub, GitLab, HackerOne and Cloudflare, among other servers.
"A common pattern is that the cache server is configured to cache only static files, which means that the attack is limited to static files," Ladunca said. "Even so, there are still significant impacts, as modern websites rely heavily on JS and CSS, and removing those files can really impact the usability of the app."
Multiple web caching vulnerabilities lead to denial of service (DoS) attacks. The cache server uses some headers as keys to store and retrieve URL requests. By using invalid values in unkeyed headers, ladunca is able to force the server to cache error responses and serve those responses later instead of the original content, which would make the target web page inaccessible to the client.
"In terms of the techniques used, by far the most common is CP-DoS via unkeyed headers, which may account for 80 percent of total discoveries," Ladunca said. Other web cache poisoning vulnerabilities could lead to cross-site scripting (XSS) attacks.
For example, a vulnerability could force a cache server to forward requests for JavaScript files to an attacker-controlled address. In another case, ladunca is able to redirect cached requests from one host to another that is vulnerable to DOM-based XSS attacks.
Ladunca has been awarded bug bounties totaling approximately $40,000 for the 70 web caching vulnerabilities it discovered, along with significant experience in securing web caching servers. "I think a good way to protect CDNs from cache poisoning attacks is to disable caching of error status codes, a mitigation that should stop most CP-DoS attacks," Ladunca said.
The researchers also recommend using PortSwigger's Param Miner, an open-source tool that can identify hidden, unlinked parameters. Running Param Miner against a web application can help detect unkeyed headers that can be used for web cache poisoning.
However, some netizens on Reddit refuted Ladunca's suggestion:
"Disable caching of error status codes" is definitely not a viable solution. If caching of error status codes is disabled, every request that handles an error response is returned to origin, effectively creating a DDoS attack with an ever-increasing error rate; this will take origin offline until someone intervenes.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。