Summary

This bug is utilizing Web cache poisoning, also referred to as web cache pollution. In this report, we see the websites CDN cache pages based on the full url, without normalizing or keying. Since the CDN is not utilizing a Web Cache Key, an attacker can fill the cache with redundant versions of the same page.

Key Terms

A Content Delivery Network (CDN) is a geographically distributed group of servers that caches content close to end users.¹

Web Cache / Caching Caching is the process of storing copies of files in a cache, or temporary storage location, so that they can be accessed more quickly. Web browsers cache HTML files, JavaScript, and images in order to load websites more quickly.³

A Web Cache Key is a selected set of HTTP request elements (parts of the request line and the headers) and their values, used to decide whether to pass the request to the web server or immediately serve a cached response to the requesting client.²

Web Cache Poisoning / Web Cache Pollution happens when an attacker tricks a web cache into storing a malicious HTTP response from a vulnerable web application or web API.²

How the Attack Works

Proof of Concept

Impact

The Fix

Key Takeaways

References

1. https://www.cloudflare.com/learning/cdn/what-is-a-cdn/
2. https://www.invicti.com/learn/web-cache-poisoning
3. https://www.cloudflare.com/learning/cdn/what-is-caching/