Web Cache Poisoning via Fat GET Request
Description
This web application uses a caching system that improperly handles HTTP GET requests containing a request body (known as "fat" GET requests). Attackers can exploit this by sending a GET request with a malicious payload in the body, which the cache stores and subsequently serves to other users. This allows attackers to poison the cache with responses containing attacker-controlled content, affecting all users who receive the cached response.
Remediation
Configure the web server and caching layer to reject HTTP GET requests that contain a request body. Implement the following measures:
1. Server-side validation: Configure your web server to return a 400 Bad Request or 413 Payload Too Large status code for GET requests with non-empty bodies.
Example for Apache (in .htaccess or httpd.conf):
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{CONTENT_LENGTH} !^$
RewriteRule .* - [R=400,L]Example for NGINX:
if ($request_method = GET) {
if ($content_length !~ "^$|^0$") {
return 400;
}
}2. Cache configuration: Configure your caching layer (CDN, reverse proxy, or application cache) to exclude requests with bodies from cache key generation or to reject them entirely.
3. Application-level checks: Implement validation in your application code to detect and reject GET requests with bodies before processing.
4. Testing: Verify the fix by sending GET requests with bodies and confirming they are rejected with appropriate error codes.