The Cache Poisoning DoS Attack, also known as CPDoS. It is a type of DoS attack that primarily relies on the webserver’s cache mechanism.
Overview
As we can see that the modern web application’s HTTP servers consist of Front-end and Back-end servers.
Fig 1: Front-end and Back-end server’s concept
Here the front-end servers play an important role in the cache mechanism.
Cache
The simple function of cache is to store data for future requests. It is done to minimize the time and the information can be served quickly. The data stored in cache is the result of a previous computation or a data copy stored in a different location.
Caching is a technique for enhancing the performance of any application. In technical terms, it is the process of storing and retrieving information from the cache.
Fig 2: Cache definition
The conclusion drawn from the figure above is:
Cache Poisoning
Cache poisoning aims to send a request which results in a damaging response. This response will be saved in the cache by default and later will be sent back to the other users.
Fig 3: Cache poisoning
An attacker sends a malicious request to the server, then the malicious response will be cached in the cache server. Whenever the user hits the same request, the poisoned response from the cache will be sent to the user.
DoS Attack
The main aim of a Denial of Service (DoS) assault is to make a resource (a website, an application, or a server) inaccessible and the user can’t carry out the functions for which it was created.
Cache Poisoning DoS (CPDoS) Attack
There is a new type of web cache poisoning attack which is known as Cache-Poisoned Denial-of-Service or CPDoS attack. It results in web resources and websites getting taken down. For instance, if there is an intermediate cache proxy server (front end) between the client (the user) and the webserver (the back end) that can configure cache replies with error-related status codes, the CPDoS attacks are conceivable (e.g. 400 Bad Request).
An attacker can manipulate HTTP requests to force a web server to respond with an error status code for a resource that already exists (path). The proxy server then caches the error response, and other users who request the same resource will receive the cache proxy’s error answer rather than a correct response.
The Attack Flow
Fig 4: CPDoS Attack Flow
Variations of CPDoS Attack
HHO CPDoS attack can be exploited in a web application when the following scenario occurs. A cache server intercepts a large header size limit than its original server. To exploit it, an attacker sends a malicious request with a request header with a larger size limit than the origin server but less than the cache server. This request is blocked by the webserver because request dear has exceeded the header size limit. As a result, it returns an error page with error code 400 Bad Request which is now stored by the cache. All future requests that are requesting a response from the resource will now receive an error instead of the original content.
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-Oversized-Header: large value
…
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-Metachar-Header: \n
…
The cache server which does not know about the meta characters can forward the above request to the server without blocking the harmful characters. The origin server will detect the request as malicious and returns the error response which is stored and later reused by the cache.
Sample request of header oversize looks like,
GET /test.html HTTP/1.1
Host: www.example.com
X-HTTP-Method-Override: DELETE
…
Recommendations and Mitigations
Mitigations against CPDoS attacks.
Conclusion
Web Cache Poisoning is one of the devious ways that damage the web infrastructure. So, it is crucial to protect yourself from these attacks. One such web cache vulnerability that you can come across is web cache deception. You can also read about such cyber issues in our blog section. For more information, you can visit our website and connect with our cybersecurity professionals for expert advice.
Author
D.Vamshi Krishna
Attack and Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…
Android penetration testing is a crucial aspect of ensuring the security of Android applications and…
In today's interconnected world, where cybersecurity is of paramount importance, password security plays a crucial…
Introduction to Web & Mobile Application Security Assessment Web and Mobile applications have become an…