10 Nov 2019

Cache Poisoned Denial of Service

Cache Poisoned Denial of Service is an attack vector that disables valid user access to online resources and websites. As caching plays a vital part in the delivery architecture of most web applications, attacks against this infrastructure component can have a significant impact on the availability of an online service.

Implementing caching, whether it be on your origin server or by leveraging the services of a Content Delivery Network, is a proven strategy that enhances the end-user experience. By improving page-load speeds, not only does your site deliver the performance expected by today’s modern online user, but it also improves your search engine ranking. However, when this vital component of your web service architecture comes under attack, it has the potential to cause reputational harm to your business or online brand.

What is a Cache Poisoned Denial of Service Attack?

A Cached Poisoned Denial of Service (CPDoS) is a malicious manipulation of a web cache service that results in legitimate users being unable to access online resources. Typically, a CPDoS attack starts with a bad actor sending a standard HTTP request to your service containing a malicious header. As the resource requested by the malicious payload is not in the cache, it forwards the request to the origin server to obtain a fresh copy of the content. The web server responds with an error page that is then stored by the cache instead of the legitimate resource.

The attacker will know if their web cache poisoning attack is successful when they navigate to the infected resource, and it presents them with an error page. When a legitimate user tries to access the resource, the site displays an error message instead of the requested content, effectively causing a Denial of Service.

What are HTTP Headers?

HTTP headers are a vital component of the HTTP protocol. They play a crucial role in managing the requests from a browser and the responses received from the webserver. Dividing these protocol components based on the source of the request categorizes them into two logical units, HTTP Request Headers, and HTTP Response Headers. Both elements contain the critical information needed to manage the communication between the source and destination of an HTTP request. Cache-related settings, request or response metadata, as well as media types, encodings, and languages, are the types of data typically contained within an HTTP Header.

How do Attackers Execute a CPDoS Attack?

According to cpdos.org, three effective attack strategies can result in a successful CPDoS attack. These include the HTTP Header Oversize, HTTP Meta Character, and HTTP Method Override. 

HTTP Header Oversize (HHO)

The HTTP Header Oversize (HHO) attack leverages a misconfiguration between the cache settings on the origin server and another caching service such as a Content Delivery Network (CDN). This CPDoS vector takes advantage of the fact that the HTTP protocol standard does not define a size limit for HTTP request headers. Consequently, various technologies that utilize the HTTP protocol set their own header size limits. A CPDoS attack leveraging HHO takes advantage of the discrepancy in the header size limit between the origin server and a caching service. If the cache sets header size limits that exceed that of the webserver, then it is vulnerable to a CPDoS HHO attack.

An attacker launches a CPDoS HHO attack by crafting an HTTP header GET request that is larger than the size permitted by the origin server but still falls within limits accepted by the CDN. When the origin server receives the oversized header, it generates and sends an error back to the CDN. Since the size of the header is within the threshold set by the CDN, it then stores the error message in its cache. When legitimate users try to access the poisoned resource, the cache presents them with an error message instead of the content they requested.

HTTP Meta Character (HMC)

Similar in execution to the HTTP Header Oversize vector, the HTTP Meta Character (HMC) CPDoS attack also leverages the lack of an HTTP standard for header requests. With HMC, the attacker includes a meta character such as a line break (\n) in their HTTP request. If the CDN accepts the meta character, it then passes the header to the origin server as it does not have a cached copy of the content. The origin server then returns an error as it does not accept that particular meta character in an HTTP header request. The cache is then poisoned with an error message instead of the legitimate content.

HTTP Method Override (HMO)

With an HTTP Method Override Cache Poisoned Denial of Service attack, the attacker utilizes any one of several HTTP methods that the HTTP protocol standard provides. These include GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH. Internet intermediary technologies such as firewalls, proxies, and load balancers typically block all requests except the two most popular, GET, and POST. As some REST-based APIs and web frameworks rely on other HTTP methods, they implement HTTP headers such as X-HTTP-Method-Override, X-HTTP-Method, or X-Method-Override. These headers instruct the webserver to disregard the HTTP method in the request and replace it with the one in the specially crafted HTTP header.

If a website or web service utilizes a vulnerable CDN to improve the performance of its site, attackers can craft a malicious HTTP header to create a Cache Poisoned Denial of Service. For example, they can embed a POST request into an HTTP Method Override and send the request to their intended target. The cache will interpret it as a GET request and pass it onto the web service. When the service unpacks the header that then presents a POST request, the target throws an error if no business logic or server-side validation exists to interpret and manage this error. The service then sends the error page back to the cache, effectively poisoning it and creating a denial of service for legitimate users.

Mitigating a CPDoS Attack

The primary reason CPDoS attacks succeed is due to the poor implementation of the HTTP standard for error messages. Many web servers and frameworks return a “400 Bad Request” by default. According to the HTTP standard, only “404 Not Found”, “405 Method Not Allowed”, “410 Gone”, and “501 Not Implemented” are HTTP error codes that should be cached. If service providers want to try and prevent a CPDoS attack, they should use the applicable status codes for the corresponding error.

Excluding error pages from being stored in a cache is another useful technique to mitigate a CPDoS attack. For example, adding the HTTP cache-control header “Cache-Control: no-store” to every error page will prevent the cache from being poisoned by false error messages. However, this solution can be labor intensive and is also prone to human error if every error page is not maintained. Disabling error page caching in your cache configuration is the best possible approach to mitigate a Cache Poisoned Denial of Service.