Web Cache Poisoning Explained : Web Security & Vulnerability

When we implement the web caching, one of the crucial parts is to identify if the request has already been cached. Nowadays, the most popular way to do that is via the comparisons of cache keys from the request. Usually, one HTTP request will contain a bunch of key-value pairs and we can pick up a group of those keys as the criteria to identify if two requests are the same. For example, for these two HTTP requests, if we take the first three keys as the criteria, they will be identified as the same request, if we add the last key into the group, they will be considered as different requests. Because each cached page has its expiry datetime. As a hacker, what he needs to do is to prepare a manipulated HTTP request and patiently wait for the current cache's next expiry time. Once he finds that page is expired, he needs to upload his malicious request immediately which will leave a copy of the malicious response in the cache. Then any subsequent requests will get a copy of this response which may include some malicious javascript code on the page.

So, for the hacker to successfully implement the web caching Poisoning, he needs to prepare the malicious HTTP request and send the request at the perfect time. Let's take a look at the following example about the manipulated HTTP request. If we send the following HTTP request, we will get the corresponding response from the server. You can see some unescaped data from the header has been directly used in the web contents. If we change the request data by using some special content, it will form a perfect cross-site script which enables the response to contain malicious code. We can see that the response contains some malicious javascript code which will run automatically once the page is loaded. One the hacker prepares the malicious HTTP header, he needs to wait for the exact time at which the previous cache will expire. One solution is to use some tools to repeatedly send requests to the server. However, this approach will result in heavy traffic which will be easily detected by the firewall. Another solution is to check if there are other HTTP headers providing some information about the cache expiration period. Some of the following headers will help hackers to better determine the next expiry timestamp.