Web Cache Poisoning through HTTP/2 pseudo-headers
Description
This web application uses a caching system that is vulnerable to cache poisoning through HTTP/2 pseudo-headers. The cache key generation does not include certain HTTP/2 pseudo-headers (such as :authority, :method, :path, or :scheme), allowing attackers to manipulate these unkeyed inputs. By crafting requests with malicious values in these headers, an attacker can poison the cache with a response containing attacker-controlled content, which will then be served to subsequent users requesting the same resource.
Remediation
Implement the following measures to prevent HTTP/2 pseudo-header cache poisoning:
1. Include HTTP/2 pseudo-headers in cache keys: Configure your caching layer (CDN, reverse proxy, or application cache) to include all HTTP/2 pseudo-headers (:authority, :method, :path, :scheme) when generating cache keys. This ensures that responses with different pseudo-header values are cached separately.
2. Validate and sanitize pseudo-headers: Implement strict validation for all HTTP/2 pseudo-headers at the application or proxy level. Reject requests with unexpected or malicious values.
3. Normalize header values: Configure your web server or reverse proxy to normalize HTTP/2 pseudo-headers before they reach the application. For example, in Nginx:
proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme;
4. Disable caching for sensitive endpoints: For pages that reflect user input or handle sensitive operations, set appropriate cache-control headers to prevent caching:
Cache-Control: no-store, no-cache, must-revalidate, private
5. Review cache configuration: Audit your caching infrastructure to identify all unkeyed inputs and ensure they are either included in the cache key or properly validated and sanitized.