What are Cache and Cache Poisoning Attacks?
Web caching refers to the process of temporarily storing data for later use. The first time that a user visits a web page, a copy is cached, and when they visit the web page subsequent times they are served the saved cached copy of that web page, to speed up website loading times. There are four types of web cache1:
Site cache. Site cache/page cache stores website data the first time that a web page is loaded, and saved items are retrieved and presented each time the user returns to the website. This is a type of client-side caching, controlled by the end user.
Browser cache. Browser cache is a type of site caching that is built into the end-user’s web browser. There, elements are stored by the browser and grouped with other files associated with your content. Browser cache can contain HTML pages, images, CSS stylesheets, and multimedia content. Browser caching and site caching overlap because they are both client-side caches; the main difference is that the browser controls the cache in browser caching, while the end-user controls the cache in site caching.
Server cache. Server cache includes Content Delivery Network (CDN) caching, object caching, and opcode caching. Website owners administer this type of caching, and each type stores a different content on the website’s server. This caching technique is often used for for high-traffic websites that need to reduce server overload.
Micro cache. Micro caching only stores content for periods up to ten seconds. It is controlled by end-users and is often used for updated graphs.
Caching servers will cache responses based on a number of different factors such as content type, route, status code, file extension, and response header. When the cache server receives an HTTP request, it must determine if there is a cached response available, or if it needs to forward the request to the back end server. The caching server must compare a predefined subset of parameters from the request’s headers in order to identify equivalent requests. The subset of parameter is referred to as the cache key, and the parts of the requests that are not included in the cache key are considered unkeyed parameters, which are ignored by the caching server.
A web cache poisoning attack involves sending a specially crafted request that generates a maliciously constructed response that is saved in the web cache and is then sent to other legitimate users. Cache poisoning can be carried out by:
- Finding the unkeyed inputs
- Generating a malicious response from the web server
- Getting the malicious response cached
Depending on the web server’s configuration, a cyberattacker may successfully cache an infected file, a malicious script, a malicious link, or another exploit. Any of these attack vectors could be used to compromise your personal information, download malware onto your machine, or perform a range of other attacks, independently or in conjunction with other attacks.
To prevent web cache poisoning:
- Do not trust data in HTTP headers. Never return HTTP headers to users in cached and sanitize user-supplied data.
- Cache only static files and static content.
- Regularly monitor web security advisories.
- Check the cache refresh time and be on the lookout for any anomalies.
1 Yalagandula, 2022, “An In-Depth Guide to Web Cache Poisoning and How to Prevent It”