Cache Poisoning DoS Attack
The Cache Poisoning DoS Attack, also known as CPDoS. It is a type of DoS attack that primarily relies on the webserver’s cache mechanism.
Overview
As we can see that the modern web application’s HTTP servers consist of Front-end and Back-end servers.
- Front-end Servers: A “front-end” server handles user queries directly. Caching and load balancing are common functions of these servers. They also serve as web application firewalls (WAFs).
- Back-end Servers: A “back-end” server receives requests from the front-end server. The server-side code runs here.
Fig 1: Front-end and Back-end server’s concept
Here the front-end servers play an important role in the cache mechanism.
Cache
The simple function of cache is to store data for future requests. It is done to minimize the time and the information can be served quickly. The data stored in cache is the result of a previous computation or a data copy stored in a different location.
Caching is a technique for enhancing the performance of any application. In technical terms, it is the process of storing and retrieving information from the cache.
Fig 2: Cache definition
The conclusion drawn from the figure above is:
- First Request: The client hits a request to the server. First, it flows like the request and will hit the cache server (front-end), and then it will hit the original server (back-end). The original server will send the response to the caching server. It will be cached here and the same will send to the client (user).
- Subsequent Requests: Whenever the user hits the same request, instead of the original server the caching server will respond and send it back to the user. It is possible because the response was already been cached by the caching server.
Cache Poisoning
Cache poisoning aims to send a request which results in a damaging response. This response will be saved in the cache by default and later will be sent back to the other users.
Fig 3: Cache poisoning
An attacker sends a malicious request to the server, then the malicious response will be cached in the cache server. Whenever the user hits the same request, the poisoned response from the cache will be sent to the user.
DoS Attack
The main aim of a Denial of Service (DoS) assault is to make a resource (a website, an application, or a server) inaccessible and the user can’t carry out the functions for which it was created.
Cache Poisoning DoS (CPDoS) Attack
There is a new type of web cache poisoning attack which is known as Cache-Poisoned Denial-of-Service or CPDoS attack. It results in web resources and websites getting taken down. For instance, if there is an intermediate cache proxy server (front end) between the client (the user) and the webserver (the back end) that can configure cache replies with error-related status codes, the CPDoS attacks are conceivable (e.g. 400 Bad Request).
An attacker can manipulate HTTP requests to force a web server to respond with an error status code for a resource that already exists (path). The proxy server then caches the error response, and other users who request the same resource will receive the cache proxy’s error answer rather than a correct response.
The Attack Flow
Fig 4: CPDoS Attack Flow
- The attacker sends a normal HTTP request with a malicious header value to the webserver (Back-end Server).
- Then, the cache server (Front end) which is in between client and server will process the request and send it back to the origin server (Back end).
- Since the request is malicious, the origin server recognized it and responded with the error response.
- The error response will be stored/cached by the cache server and the same will be sent to the attacker.
- Since the attacker knows that the attack was successful when any legitimate user tries to obtain the target resource with subsequent requests.
- The legitimate user will receive the cached error response from the cache server.
Variations of CPDoS Attack
- HTTP Header Oversize (HHO): Most web servers provide a request header size limit (Apache’s default limit is 8,196 bytes). However, some systems permit limits larger than 8,192 bytes, and CDN even allows up to 20,480 bytes.
HHO CPDoS attack can be exploited in a web application when the following scenario occurs. A cache server intercepts a large header size limit than its original server. To exploit it, an attacker sends a malicious request with a request header with a larger size limit than the origin server but less than the cache server. This request is blocked by the webserver because request dear has exceeded the header size limit. As a result, it returns an error page with error code 400 Bad Request which is now stored by the cache. All future requests that are requesting a response from the resource will now receive an error instead of the original content.
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-Oversized-Header: large value
…
- HTTP Meta Character (HMC): It is similar to the above attack, instead of sending a malicious header with a larger value, an attacker can send a request header with harmful meta characters such as \n, \r.
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-Metachar-Header: \n
…
The cache server which does not know about the meta characters can forward the above request to the server without blocking the harmful characters. The origin server will detect the request as malicious and returns the error response which is stored and later reused by the cache.
- HTTP Method Override (HMO): There are several HTTP methods such as ‘GET’, ‘POST’, ‘DELETE’, ‘PUT’, etc in which the cache server does only responds to ‘GET’ and ‘POST’. In this method, an attacker sends a request with a header such as ‘X-HTTP-Method-Override’ with a value that is not supported by the server. Then it returns the error message which is stored and reused by the cache server.
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-HTTP-Method-Override: DELETE
…
Recommendations and Mitigations
Mitigations against CPDoS attacks.
- Generally, the website owners try to configure their CDN service so that no cache of HTTP error is caught by default.
- Add “Cache-Control: no-store” in the HTTP header for all error pages. This way, you can disable cache error pages from the server’s configuration files.
- CDNs cannot cache error 404 Bad requests which are generated by CPDoS attacks but errors like 404 (Not found), 405 (Method not permitted), 410 (Lost or Gone), and 501 (Cannot be implemented) can be received according to the CDNs web caching standard.
- The basic step to prevent CPDoS attacks is by caching the error pages under the policies of the HTTP standard.
Conclusion
Web Cache Poisoning is one of the devious ways that damage the web infrastructure. So, it is crucial to protect yourself from these attacks. One such web cache vulnerability that you can come across is web cache deception. You can also read about such cyber issues in our blog section. For more information, you can visit our website and connect with our cybersecurity professionals for expert advice.
Author
D.Vamshi Krishna
Attack and Pentest Team
Varutra Consulting Pvt. Ltd.