Web Cache Poisoning
Description
Web Cache Poisoning occurs when an attacker manipulates HTTP headers or cookies that are not included in the cache key (unkeyed inputs) to inject malicious content into cached responses. Because caching systems store and reuse these poisoned responses, the malicious content is subsequently served to other users who request the same resource. This vulnerability exploits the discrepancy between what the cache considers when storing responses and what the application uses when generating them.
Remediation
Implement the following measures to prevent web cache poisoning:
1. Configure Cache Keys Properly:
Use the Vary HTTP response header to include all headers that influence the response in the cache key. For example:
Vary: User-Agent, X-Forwarded-Host, Accept-Encoding
2. Validate and Sanitize Input:
Avoid reflecting unkeyed inputs (headers, cookies) in responses. If necessary, strictly validate and sanitize them before use.
3. Disable Caching for Dynamic Content:
For pages that include user-specific or sensitive data, use cache control headers:
Cache-Control: no-store, private Pragma: no-cache
4. Implement Cache Segmentation:
Separate cache instances for different user groups or security contexts to limit the blast radius of potential poisoning.
5. Review Cache Configuration:
Audit your caching layer (CDN, reverse proxy, application cache) to ensure all inputs that affect responses are included in cache keys or that caching is disabled for sensitive endpoints.