Cache poisoning is an attack in which an attacker manipulates the behavior of a caching system to store and serve malicious content to other users. By injecting a crafted response into a web cache, CDN, or DNS resolver, the attacker can cause that malicious content to be delivered to every subsequent user who requests the same resource, amplifying the impact far beyond a single victim.
How It Works
Web cache poisoning exploits the way caching servers determine which requests receive the same cached response. A cache identifies requests as equivalent based on the cache key, typically the URL and Host header. However, the server may also process other inputs, known as unkeyed inputs, such as custom headers, cookies, or query parameters that influence the response but are not part of the cache key.
An attacker identifies an unkeyed input that affects the response content, for example a header that gets reflected in the page. They send a request with a malicious value in that header along with a normal URL. The server generates a response containing the malicious content, and the cache stores it keyed by the URL alone. Every subsequent user requesting that URL receives the cached response containing the attacker's payload, potentially executing JavaScript in their browser or redirecting them to a malicious site.
DNS cache poisoning targets DNS resolvers rather than web caches. By injecting forged DNS responses, an attacker can cause a resolver to cache incorrect IP addresses for domain names, redirecting traffic intended for legitimate sites to attacker-controlled servers. This can enable phishing, malware distribution, or traffic interception on a massive scale.
Why It Matters
Cache poisoning attacks are particularly dangerous because they convert one malicious request into an attack that affects every user requesting the same resource. A single poisoned cache entry on a popular CDN can serve malicious content to millions of users. Security assessments test for cache poisoning by identifying unkeyed inputs and evaluating whether they can influence cached responses in security-relevant ways.
Need your application tested? Get in touch.