Experts Warn of the Latest Cache-Poisoned Method of Attack

Data Security

A team of German security researchers has developed a new class of web cache poisoning attacks that could make victim services inaccessible.

The cache can decrease network trafficby re-use of HTTP responses and allow applications to grow, as well as defend against denial-of-service (DoS) attacks.

Researchers at the Cologne University of Applied Science in Germany discovered a new attack involving a server-generated error page poisoning the cache and then serving worthless content instead of legitimate.

The attack is being battled by a proxy cache tool and five CDN-services that include leading applications that cache high-value web sites— Akamai, CDN77, Fastly, Cloudflare, CloudFront and Varnish— to cache error pages.

“It is dangerous, as a simple request is sufficient to paralyze the website of a victim in a vast geographical area. “To get a comprehensive understanding of causes, countermeasures and practitioners to deploy robust and secure distributed systems, is a highly valuable awareness of the newly introduced CPDoS attack.”

The attack exploits a general problem in layered systems when variations in interpretation arise when the same message is being used sequentially. The problem is that the cacheable resource HTTP call generated by the attacker contains erroneous fields which, while being ignored by the caching system, cause an error when processed by the original server.

Therefore an error page from the original server is received on the intermediate cache, which means that it is poisoned by the server-generated error page. The new class of attacks is dubbed the “Cache-Poisoned Denial-of-Service (CPDoS), because the useless material makes the target service unattainable.”

During the study, researchers studied empirically how 15 existing web caching solutions handle HTTP requests, containing inaccurate fields and caching the resulting error pages, and discovered vulnerable services already alerted to the problem.

The attack exploits the semantine distance between two HTTP motors, one in a shared cache and the other on an original server. In this respect, the caching system deployed focuses more than the original server on processing requests, so that the attacker can enter harmful headers into the request.

If these headers are forwarded to the source server without any modification, the request runs through the cache without problem but the server processing leads to an error. Therefore, the server replies with the error, which is processed and reused for repeat requests by the cache.

This results in every user who requests the GET to receive a recorded error message from the infected URL. A simple request below the identification level of web application firewalls and DoS security, according to the whitepaper, is enough to substitute the actual content in the cache with an error page.

Harmless CPDoS can make images or styles unfit to the visual appearance of applications, but more extreme attacks may render whole web applications unavailable. CPDoS attacks could also block patches or firmware updates spread via caches.

“Attackers can also turn off major security warnings or updates on sensitive project pages, such as online banking or government official websites. Imagine, for example, that a CPDoS attack would prevent warning users about phishing e-mails or natural disasters, “the researchers say.

An attacker can exploit this without a chance of detection, but with a high probability of success, meaning CPDoS poses a high risk.

Throughout their paper, the researchers present the three variants of the general CPDoS attack, namely HTTP Method Override–a malicious client sending a GET request, which requires an HTTP method override header–the malicious client sends a GET request with a header greater than the original server’s, but smaller than that of the cache–and the malicious client sends a Header Override (HHO)

Experiments showed that eight Defense websites, more than a dozen Alexa Top 500 pages and millions of URLs contained in a HTTP database dataset are vulnerable to CPDoS attacks.

“According to our studies, 11% of the DoD websites are vulnerable to CPDoS attacks, 30% of Alexa Top 500 websites and 16% of the URLs of the database information collection analyzed. Such cached contents also include mission critical firmware and files for upgrading, “the scientists notice.

Some vulnerable resources, due to their use of CloudFront as the CDN, are ethereum.org, marines.com and nasa.gov. The researchers blocked texts, style sheets, photographs and even interactive data.

The researchers reported in February of 2019 on the vulnerabilities of HTTP implementer vendors and cache providers (including AWS, Microsoft, Play 1 and Flask) and also worked closely with them to eliminate the identified risks.

Although the removal of cache error pages seems to be the most logical and efficient counter-measure for CPDoS attacks, this could in many cases have an impact on performance.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.