What is Cache Poisoning? How Hackers Manipulate Web Caches and How to Prevent It

Web caches play an important role in speeding up our browsing experience. They store copies of web pages and other resources so that users can access them more quickly.

But what happens when these caches become a tool for hackers?

Let’s take a look at cache poisoning, how it works, and how you can protect yourself against it.

What is a web cache?

Caching means storing a copy of a piece of content. A web cache stores copies of web pages or parts of web content temporarily.

When you visit a website, your browser can cache some elements, such as images and scripts. So the next time you visit the same site, the browser can load it faster.

Caching speeds up websites. It reduces the amount of data that has to be sent over the network. This makes browsing more efficient and provides a smoother experience for users.

A cache can be in multiple places. This includes:

Browser cache: Your browser keeps a copy of recently visited web pages, images, and other content.

CDN cache : CDNs store copies of web resources in multiple, global locations. This ensures that users have access to a nearby server, which reduces load times.

Reverse proxy cache: A reverse proxy server sits between users and the web server. It caches content to reduce server load and improve response times.

Web caching works according to a number of basic principles.

Expiry date: Cached content has a time-to-live (TTL) value. After this TTL, the cache is cleared.

Validation:The cache checks with the server whether the stored content is still valid or needs to be updated.

Invalidation: When a website’s content is updated, the cache is cleared and the latest version is retrieved from the server.

How does cache poisoning work?

Cache poisoning is a cyberattack where a hacker manipulates the stored data in a web cache. The cache stores a malicious or modified version, not a real page.

When a user requests this cached content, they will receive the manipulated data instead. This attack can lead to dangerous scripts being executed on the user’s browsers.

In a cache poisoning attack, a hacker exploits the way cache systems store content. Here is a simplified explanation of how this attack works.

The attacker first identifies which resources are cached on a website. They look for pages or resources that the cache might store based on the URL or request headers.

The attacker then crafts a request containing malicious content. This request looks like a legitimate request, so the cache stores the response.

The server processes the request and returns a response that is stored in the cache. If the cache server does not check the request, it stores the malicious content.

Now when a user requests the cached resource, the cache serves the malicious version instead of the legitimate version.

Common techniques used in cache poisoning

Cache poisoning exploits various vulnerabilities in web caching mechanisms. Some of the most common techniques include:

Host header attacks

The “Host” header specifies which domain a request is for. Attackers can modify this header. They can trick the server into caching a malicious response. For example

Normal request

GET /resource HTTP/1.1
Host: www.example.com

Malicious request

GET /resource HTTP/1.1
Host: attacker.com

If the cache stores the response based on the manipulated host, all users of “www.example.com” could receive malicious content.

HTTP parameter pollution

Attackers can inject unexpected parameters into URLs. This changes server behavior and poisons the cache. For example:

Normal URL : https://www.example.com/page?id=123

Malicious URL: https://www.example.com/page?id=123&malicious_flag=101

If the server does not clean these parameters, it may cache other content. The next user who visits the normal URL may receive the poisoned content.

Vary header manipulation

The Vary header is an HTTP response header. It tells caches how to store different versions of a web resource based on certain request headers.

For example, if a server has a “Vary: User-Agent”header, this means that the response can vary based on the client’s user agent. So caches store separate versions of the resource for different user agents. For example, one for desktop browsers and another for mobile browsers.

If the “Vary” header is not properly checked, attackers can manipulate the request headers to poison the cache.

For example, an attacker could craft a request with a crafted “User-Agent” header. This could result in malicious content being cached for the next user.

How to Protect Yourself from Cache Poisoning

Now that we understand how cache poisoning works, let’s look at how we can protect ourselves against it:

Correct input validation

Always check and sanitize user input. Especially when it comes to request headers and URL parameters. This prevents attackers from injecting malicious content into cached requests.

Set caching headers such as “Cache-Control” and “Expires” correctly to prevent sensitive data from being cached. Use headers such as “no-cache,” “no-store,” and “must-revalidate” for dynamic or sensitive content.

Manage cache key settings

Set cache keys correctly to prevent responses with user-specific parameters from being cached. Do not use request headers or query parameters that attackers can easily manipulate.

Implementing HTTPS

HTTPS prevents attackers from intercepting and modifying requests and responses. HTTPS also reduces the risk of cache poisoning attacks, because it ensures data integrity.

Conclusion

Cache poisoning poses a significant risk to web applications and users. Hackers can manipulate cached content to serve malicious data or steal sensitive information.

You can protect your web apps from cache poisoning by learning how it works and taking the right precautions. With the right approach, you can ensure a safer browsing experience for your users.

View the Stealth security newsletter for more articles on offensive and defensive cybersecurity.