A group of security researchers from German universities has devised a new class of web cache poisoning attacks that could render victim services unreachable.
The cache is meant to reduce the volume of network traffic through the reuse of HTTP responses and helps applications scale at large, in addition to providing protection against denial-of-service (DoS) attacks.
Researchers at Cologne University of Applied Sciences and University of Hamburg, Germany, discovered a new attack that involves poisoning the cache with a server-generated error page and then serving useless content instead of the legitimate one.
The attack, the researchers explain in a whitepaper (PDF), works against one proxy cache product and five content delivery network (CDN) services, including prominent solutions that cache high-value websites — Akamai, CDN77, Fastly, Cloudflare, CloudFront, and Varnish allow for error pages to be cached.
“The consequences are severe as one simple request is sufficient to paralyze a victim website within a large geographical region. The awareness of the newly introduced CPDoS attack is highly valuable for researchers for obtaining a comprehensive understanding of causes and countermeasures as well as practitioners for implementing robust and secure distributed systems,” the researchers say.
The attack exploits a general issue in layered systems, where there are differences in interpretation when operating on the same message in sequence. Specifically, the problem arises from the fact that the attacker-generated HTTP request for a cacheable resource contains inaccurate fields that, while ignored by the caching system, raise an error when processed by the origin server.
Thus, the intermediate cache receives an error page from the origin server, meaning that the cache is poisoned with the server-generated error page. Because the useless content renders the victim service unreachable, the new class of attacks was named “Cache-Poisoned Denial-of-Service (CPDoS)”.
During their investigation the researchers empirically studied the manner in which fifteen available web caching solutions behave when handling HTTP requests containing inaccurate fields and caching of resulting error pages, and discovered vulnerable services that have already been alerted on the matter.
The attack exploits the semantic gap in two HTTP engines, one in a shared cache and another in an origin server. In this context, the deployed caching system is more focused on processing requests than the origin server, thus allowing the attacker to introduce harmful headers in the request.
With these headers forwarded without any changes to the origin server, the request runs through the cache without issue, but the processing on the server results in an error. Thus, the server responds with the error, which is then stored and reused by the cache for recurring requests.
This results in each client that makes a GET request to the infected URL receiving a stored error message. According to the whitepaper, a simple request, which is below the detection threshold of web app firewalls and DoS protections, is enough to replace the genuine content in the cache by an error page.
Harmless CPDoS can render images or style resources unavailable, thus affecting the visual appearance of applications, but more serious attacks could render entire web applications inaccessible. Additionally, CPDoS attacks could block patches or firmware updates distributed via caches.
“Attackers can also disable important security alerts or messages on mission-critical websites such as online banking or official governmental websites. Imagine, e.g., a situation in which a CPDoS attack prevents alerts about phishing emails or natural catastrophes from being displayed to the respective user,” the researchers say.
An attacker could exploit this with little effort without the risk of being detected, but with a high probability of success, which means that CPDoS poses a high risk, the researchers say.
In their paper, the researchers present three variations of the general CPDoS attack, namely HTTP Method Override (HMO) – a malicious client crafts a GET request, including an HTTP method overriding header –, TTP Header Oversize (HHO) – the malicious client sends a GET request including a header larger than the limit of the origin server but smaller than the one of the cache –, and HTTP Meta Character (HMC) – similar to HHO, but relying on a request header containing a harmful meta character.
Experiments have revealed that 8 websites of the Department of Defense, over a dozen of the Alexa Top 500 sites, and millions of URLs stored in a data set of the HTTP Archive are vulnerable to CPDoS attacks.
“According to our experiments 11% of the DoD web sites, 30% of the Alexa Top 500 websites and 16% of the URLs in the analyzed HTTP Archive data set are potentially vulnerable to CPDoS attacks. These cached contents include also mission-critical firmware and update files,” the researchers note.
Some of the vulnerable resources are ethereum.org, marines.com, and nasa.gov due to their use of CloudFront as a CDN. On these, the researchers were able to block scripts, style sheets, images, and even dynamic content.
The researchers reported the vulnerabilities to the HTTP implementation vendors and cache providers (including AWS, Microsoft, Play 1, and Flask) in February 2019 and also worked closely with them to eliminate the detected threats.
While excluding error pages from cache appears to be the most intuitive and effective countermeasure against CPDoS attacks, this could impact performance in many cases.