Software Engineering Institute

CDNs use HTTP caching software to provide high availability and high performance by distributing the service spatially relative to end-users. The HTTP caching software interprets the HTTP request from a website visitor (web client) using the supplied HTTP headers to select and deliver appropriate content. The content can either be delivered from the local cache or collected by reaching the appropriate back end web servers.

This vulnerability works by sending arbitrary headers into the HTTP request stream, which may be processed by the back end web server or by the HTTP caching software. If either the web server or the HTTP caching software is vulnerable, it will include the attackers injected content in the response without performing any type of sanitization. Once the attacker's malicious content is returned, it will also be cached by the HTTP caching software. The HTTP caching software will continue to serve the malicious content to all future visitors of the website until the cache expires or is deleted. This allows the attacker to inject arbitrary content once and have multiple future visitors of the CDN hosted website collect the attacker's content and execute unwanted scripts.

HTTP header injection using traditional headers, like the Host header and X-Forwarded-Host header, is not a new attack method. New HTTP headers like X-Forwarded-Proto, Referer, Upgrade-Insecure-Requests, and X-DNS-Prefetch-Control have been created to provide more capabilities for HTTP processing. Cloud caching in addition to newly available headers allows for an increase in prolonged, large scale attacks against busy and popular websites.

Some examples of the vulnerable headers are:

Content-Security-Policy-Report-Only
Forwarded
Server-Timing
Set-Cookie
Strict-Transport-Security
X-Forwarded-Proto
Location
Accept-Language
Cookie
X-Forwarded-For
X-Forwarded-Host
Referer
Max-Forwards

By performing a malicious request using HTTP headers, an attacker could poison the cache of an CDN provider and inject malicious content that will affect multiple future visitors of the website.

CDN service providers should implement both of these recommendations:

1. CDNs should inspect and sanitize headers using appropriate enforcement and strict adherence to applicable RFCs before forwarding theses headers to back end web servers.
2. CDNs should also replace, remove, or append headers after sanitiziation that are submitted by the client but are expected to be generated or validated by the CDN, such as the X-Forwarded-Host header.

Back end web servers should not trust any content sent as part of the HTTP request. Web servers should implement secure encoding of output appropriate for the common context targets in web applications (e.g. HTML, XML, JavaScript, etc) as recommended by OWASP.

As a work around, caching software providers can disable caching when suspicious content is found in the HTTP headers or the body of the HTTP requests. This prevents the storing and distributing of malicious content to all visitors of a website.

Back end web server administrators can use the appropriate Cache-Control and Expiry headers to avoid caching of dynamically generated content by the CDNs. This will prevent the storage and delivery of malicious content to future visitors.