← HackerOne Writeups

Cache Pollution via Unkeyed GET Parameters

low Public Program

Source: HackerOne  ·  Original Report: View on HackerOne  ·  Report Author: alitoni224

Key Terms

A Content Delivery Network (CDN) is a geographically distributed group of servers that caches content close to end users, reducing latency and load on origin servers.

Web Caching is the process of storing copies of files in temporary storage so they can be served more quickly on subsequent requests. Browsers and CDNs both use caching to speed up page loads.

A Web Cache Key is a selected set of HTTP request elements — parts of the request line and headers — used to determine whether to serve a cached response or pass the request to the origin server.

Web Cache Poisoning occurs when an attacker tricks a web cache into storing a malicious HTTP response from a vulnerable application.

Web Cache Pollution is where the cache becomes filled with redundant versions of the same page. Unlike poisoning (which delivers malicious content), pollution causes resource exhaustion on the CDN and inconsistent user experiences — and can create conditions for future cache poisoning if unkeyed parameters are reflected in the response.

Summary

In this report, the target website’s CDN caches pages based on the full URL without normalizing or keying the request. Because the CDN doesn’t use a proper Web Cache Key, an attacker can append arbitrary GET parameters to any URL and cause the CDN to store it as a separate, unique cache entry — a distinct version of the same page that will never be served to real users.

What Does This Mean in Practice?

The CDN saves different versions of a page to serve future requests faster. Normally, ?foo=1 and ?foo=2 should resolve to the same underlying resource and share one cache entry. Here, the CDN treats them as entirely separate pages and caches each one independently.

An attacker can automate parameter enumeration to flood the CDN cache with thousands of useless entries, degrading performance for legitimate users and wasting CDN storage.

Why Is This Possible?

Proper cache key configuration tells the CDN which parts of the request identify a unique resource. Typically this means the scheme, host, path, and a defined set of meaningful query parameters. Everything else — random or unrecognized parameters — should be stripped or ignored before the cache key is computed.

In this report, the CDN is keying on the entire URL, meaning any arbitrary addition to the query string creates a new cache entry:

# These are cached as three separate pages:
https://example.com/page
https://example.com/page?foo=1
https://example.com/page?foo=abc123

Impact

  • Resource exhaustion: The CDN cache fills with junk entries, potentially evicting legitimate cached content.
  • Inconsistent UX: Users may receive stale or mismatched responses if pollution affects which cache entries get served.
  • Stepping stone for poisoning: If any unkeyed parameter is reflected in the response, cache pollution becomes cache poisoning — a much higher-severity vulnerability.

Remediation

Configure the CDN to normalize cache keys by stripping unknown query parameters before computing the key. Most CDN platforms (Cloudflare, Fastly, Akamai) support cache key customization rules.

# Nginx proxy_cache_key example — key on path only, ignore query params
proxy_cache_key "$scheme$request_method$host$uri";

Or allowlist only the query parameters that meaningfully affect the response, ignoring everything else.

References

  1. What is a CDN? — Cloudflare
  2. Web Cache Poisoning — PortSwigger
  3. What is Caching? — Cloudflare
  4. HackerOne Report #3183046