A Content Delivery Network (CDN) is a distributed network of proxy servers that deliver web content collected from a back end web server using a temporary local storage called a cache. HTTP cache poisoning is a type of attack that allows a remote attacker to inject arbitrary content using unsanitized HTTP headers to poison the remote cache of a CDN. Once an attacker has successfully injected malicious content, future visitors accessing the compromised website will collect and execute the attacker’s injected scripts.
CDNs use HTTP caching software to provide high availability and high performance by distributing the service spatially relative to end-users. The HTTP caching software interprets the HTTP request from a website visitor (web client) using the supplied HTTP headers to select and deliver appropriate content. The content can either be delivered from the local cache or collected by reaching the appropriate back end web servers.
This vulnerability works by sending arbitrary headers into the HTTP request stream, which may be processed by the back end web server or by the HTTP caching software. If either the web server or the HTTP caching software is vulnerable, it will include the attackers injected content in the response without performing any type of sanitization. Once the attacker's malicious content is returned, it will also be cached by the HTTP caching software. The HTTP caching software will continue to serve the malicious content to all future visitors of the website until the cache expires or is deleted. This allows the attacker to inject arbitrary content once and have multiple future visitors of the CDN hosted website collect the attacker's content and execute unwanted scripts.
There are at least two common reasons why these attacks are possible:
1. Certain HTTP headers (e.g., X-Forwarded-Host) are sent by the reverse proxy or CDN to the web server and are many times presumed to be generated/modified by the CDN and therefore trusted.
2. Certain HTTP headers (e.g., User-Agent) are not sanitized by the CDN before being delivered to the web server.
By performing a malicious request using HTTP headers, an attacker could poison the cache of an CDN provider and inject malicious content that will affect multiple future visitors of the website.
CDN service providers should implement both of these recommendations:
As a work around, caching software providers can disable caching when suspicious content is found in the HTTP headers or the body of the HTTP requests. This prevents the storing and distributing of malicious content to all visitors of a website.
Thanks to Dr. Mingkui Wei from Cyber Forensic Intelligence Center, Computer Science, Sam Houston State University for reporting this vulnerability. We would also like to acknowledge the prior research completed by Carlos Bueno and James Kettle.
This document was written by Vijay S Sarvepalli.
|Date First Published:||2020-01-14|
|Date Last Updated:||2020-01-14 19:27 UTC|