Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards
04 January 2022 at 12:01 UTC
Updated: 04 January 2022 at 12:09 UTC
Targets included GitHub, GitLab, HackerOne, and Cloudflare
Despite being a known and well-documented vulnerability, web cache poisoning continues to crop up around the web.
In extensive research of many websites, including some high-traffic online services, security researcher Youstin ladunca recently discovered 70 cache poisoning vulnerabilities with various impacts.
Web cache poisoning attacks target the intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers.
These intermediaries help improve the performance of websites by storing local versions of web content to speed up their delivery to web clients.
Web cache poisoning attacks manipulate the behavior of cache servers and how they respond to specific URL requests by clients.
DoS and XSS
“I started researching Web Cache Poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic,” Iadunca told The Daily Swig.
“Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for Cache Poisoning is.”
In a write-up on his blog, ladunca has detailed how he discovered and reported the web cache vulnerabilities, which included Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among other servers.
“A common pattern was Caching Servers configured to only cache static files, meaning attacks were limited to static files only,” ladunca said. “Even so, there still was significant impact, since modern websites rely heavily on JS and CSS and taking those files down would really affect application availability.”
Several of the web cache vulnerabilities resulted in denial of service (DoS) attacks. Cache servers use some headers as keys to store and retrieve URL requests. By using invalid values in unkeyed headers, ladunca was able to force the servers to cache error responses and later serve them instead of the original content, which made the target webpages inaccessible to clients.
“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of total findings,” Iadunca said.
Iadunca was awarded a total of around $40,000 in bug bounty for the 70 web cache vulnerabilities he discovered. But he also took away important lessons about securing web cache servers.
“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said.
The researcher also recommended using PortSwigger’s Param Miner, an open source tool that can identify hidden, unlinked parameters. Running Param Miner against web applications can help detect unkeyed headers that can be used for web cache poisoning.