Web Cache Poisoning DoS (for javascript)
Description
This vulnerability occurs when a web cache system is misconfigured to cache HTTP error responses (such as 400 Bad Request, 404 Not Found, or 501 Not Implemented) for JavaScript resources. An attacker can exploit this by sending a specially crafted malformed request to a legitimate JavaScript file, causing the server to return an error response that gets cached. Once cached, all subsequent users attempting to access that JavaScript file will receive the cached error response instead of the actual file, effectively breaking application functionality.
Remediation
Configure the caching system to exclude HTTP error responses from being cached. Implement the following measures:
1. Disable caching for error status codes: Configure your cache layer (CDN, reverse proxy, or application cache) to never cache responses with 4xx and 5xx status codes. For example, in Nginx:
proxy_cache_valid 200 302 10m; proxy_cache_valid 404 0; proxy_cache_valid 400 0; proxy_cache_valid 5xx 0;
2. Implement cache key normalization: Ensure cache keys are based only on normalized, validated request parameters to prevent malformed requests from creating separate cache entries.
3. Set appropriate Cache-Control headers: Configure your application to send explicit cache control directives for static resources:
Cache-Control: public, max-age=31536000, immutable
4. Use Vary headers carefully: Avoid using uncontrolled headers in the Vary directive that attackers could manipulate to poison the cache.
5. Monitor cache behavior: Implement logging and monitoring to detect unusual cache miss rates or error response caching patterns that may indicate an attack.