Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards

Despite being a known and well-documented vulnerability, web cache poisoning continues to crop up around the web.

In extensive research of many websites, including some high-traffic online services, security researcher Iustin Ladunca (Youstin) recently discovered 70 cache poisoning vulnerabilities with various impacts.

Web cache poisoning attacks target the intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers.

 

BACKGROUND Web cache poisoning offers fresh ways to smash through the web stack

 

These intermediaries help improve the performance of websites by storing local versions of web content to speed up their delivery to web clients.

Web cache poisoning attacks manipulate the behavior of cache servers and how they respond to specific URL requests by clients.

DoS and XSS

“I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic,” Ladunca told The Daily Swig.

“Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.”

In a write-up on his blog, ladunca has detailed how he discovered and reported the web cache vulnerabilities, which included Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among other servers.

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” ladunca said. “Even so, there still was significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.”

 

Read more of the latest hacking news from around the world

 

Several of the web cache vulnerabilities resulted in denial of service (DoS) attacks. Cache servers use some headers as keys to store and retrieve URL requests. By using invalid values in unkeyed headers, ladunca was able to force the servers to cache error responses and later serve them instead of the original content, which made the target webpages inaccessible to clients.

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said.

Other web cache poisoning vulnerabilities could lead to cross-site scripting (XSS) attacks. For example, one vulnerability could force the cache server to forward JavaScript file requests to an attacker-controlled address. In another case, ladunca was able to redirect a cache request from one host to another that was vulnerable to DOM-based XSS attacks.

Lessons learned

Ladunca was awarded a total of around $40,000 in bug bounty for the 70 web cache vulnerabilities he discovered. But he also took away important lessons about securing web cache servers.

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said.

The researcher also recommended using PortSwigger’s Param Miner, an open source tool that can identify hidden, unlinked parameters. Running Param Miner against web applications can help detect unkeyed headers that can be used for web cache poisoning.

Leave a Reply

Your email address will not be published.