![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2020\/11\/Web-Cache-Poisoning-\u2013-Through-Host-Header-Injection-2-1024x573.jpg\" "\\"Web")
\nWeb cache poisoning is an advanced hacking technique through which an attacker can exploit the pattern or behavior of a web cache and server. But before comprehending what is web cache poisoning, we should understand web cache and its vulnerabilities. This will help us in taking measures to prevent web cache poisoning.<\/p>\n
<\/p>\n
A cache is a term that is generally used for the information between server and user. When a web server saves data from certain requests temporarily or for some limited amount of time, those data or information is known as a cache. In case, the server receives a similar request then the user will receive the cached information which was saved earlier without having to interact with the server again.<\/p>\n
![\"HTTP](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/HTTP-web-cache..png\")
<\/p>\n
Figure: HTTP web cache.<\/p>\n
<\/p>\n
Servers receive a lot of requests and can get overloaded if it will have to send a new request every single time for each separate HTTP request. Due to this factor, a server can face delay problems and an unsatisfactory user experience. Therefore, the primary use of cache is to reduce the overloading of the webserver.<\/p>\n
When an HTTP request is received by the cache, it will check for a past similar cached response. If there is a response already present then it does not forward the requests to the back-end server for handling. This procedure is carried by Cache Keys. It comprises a pre-defined set of components that consists of the host header and request line from the request. The remaining components of the request that are not present in the key are known as unkeyed components. In case, there are two requests from cached keys, those two requests will be considered equivalent by the server. For such requests, the server provides a saved cached copy of a response to the subsequent requests. There is an expiration time for every saved cache.<\/p>\n
<\/p>\n
Web cache poisoning is an advance attacking technique through which an attacker tries to exploit the target\u2019s web cache and server to distribute malicious HTTP responses.<\/p>\n
The exploitation attack is carried out in two phases:<\/p>\n
Here are some points that are to be considered when we need to perform a web cache poisoning attack.<\/p>\n
Firstly, we need to recognize the unkeyed inputs present in a request. It is because they are often neglected by the server. By using them, we can easily manipulate the server by including payloads in the request inputs when cached data is getting delivered. To identify unkeyed inputs, we need to include different inputs in the request and then observe them. It is done to see whether they cause any effect on response or not. After analyzing those keyed inputs, we can conjure a damaging response from the server with the help of these inputs.<\/p>\n
After we are successful in receiving a payload that contains a damaging response, we can start working on getting this response cached by the user. Once harmful response gets cached, we can finally deliver the payloads to targeted users.<\/p>\n
<\/p>\n
With web cache poisoning, we can carry out multiple payload attacks. Here is the list of vulnerabilities that can be exploited by using web cache poisoning:<\/p>\n
We can also perform exploitation by the implementation of flaws in the cache. It is carried out by exploiting cache key flaws. For example, unkeyed query parameter, internal cache poisoning, unkeyed port, cache key injection, unkeyed query string, etc. We can also achieve this by using cache probing methodology.<\/p>\n
<\/p>\n
In the beginning, the web was quite simple but its complexity is increasing day by day due to caches global network. It helps improve the network\u2019s responsiveness to a site but also introduces more attack space. With the advancement in technology, we can exploit more than just headers and caches with web cache poisoning.<\/p>\n
Different exploitation methodologies like misguided transformation, request line normalization, insecurely stored cache key components, etc, can come in very handy for such a process. Using such methods, an attacker can corrupt the website and perform a persistent DOS attack with just one malicious redirect request.<\/p>\n
<\/p>\n
The following factors impacts web cache poisoning:<\/p>\n
The primary focus of web cache poisoning is delivering payloads to the users. Therefore, the impact depends on the amount of malicious content injected into the payload. Another aspect that decides the impact is the number of users the payload was delivered to. If a popular website is poisoned then its impact will be huge.<\/p>\n
<\/p>\n
Here are some important points that are to be taken into consideration as a preventive measure.<\/p>\n
<\/p>\n
Example:<\/strong><\/p>\n Here is an example of exploiting the vulnerability on the online lab using a web cache. In this lab, web cache poisoning will be explained using the unkeyed header. To fix it we will poison the response cache that will execute \u201calert<\/em>(document.cookie)\u201d in the browser. And, to do so we need only 2 things i.e., the lab itself and the burp suite.<\/p>\n We will be following the steps below:<\/p>\n <\/p>\n Web cache poisoning can even damage a completely secure website and make it vulnerable to attacks by just adding a malicious response in its cache. You can also read about one such vulnerability, i.e.,\u00a0web cache deception<\/a>\u00a0in our\u00a0blog<\/a>\u00a0section.<\/p>\n Thank you.<\/p>\n Author,<\/p>\n Pralekya Hirmalwar<\/strong><\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" Web cache poisoning is an advanced hacking technique through which an attacker can exploit the pattern or behavior of a web cache and server. But…<\/p>\n","protected":false},"author":4,"featured_media":5648,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[57],"tags":[312,311,144,309,310],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n
![\"Access](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/Access-the-lab-and-capture-that-GET-request-in-burp-suite..png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/2.png\")
<\/p>\n\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/send-this-request-to-the-Repeater..png\")
<\/p>\n\n
\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/Add-a-parameter.png\")
<\/li>\n
\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/The-X-Forwarded-Host.png\")
<\/li>\n
\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/the-exploit-server-change.png\")
<\/li>\n
\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/the-values-are-stored.png\")
<\/li>\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/after-changing-the-value-1.png\")
<\/li>\n![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2020\/11\/Replay-the-request-until.png\")
<\/p>\n