Web Cache Poisoning via Host Header
Description
This web application uses a caching system that is vulnerable to cache poisoning through manipulation of the Host header. When a request is sent with a Host header containing an invalid or malicious port number, the caching system stores a response containing a redirect to that invalid port. This poisoned cache entry is then served to subsequent legitimate users who request the same resource, causing them to be redirected to an inaccessible location.
Remediation
Configure the caching system to include the Host header's port component as part of the cache key. This ensures that responses are cached separately for different port values, preventing one request from poisoning the cache for others.
Implementation steps:
1. Review your caching configuration (e.g., Varnish, nginx, CDN settings) to identify how cache keys are generated
2. Modify the cache key generation to include the full Host header value, including the port number
3. Implement strict validation of the Host header to reject requests with invalid or unexpected port numbers
4. Consider implementing a whitelist of allowed Host header values
Example nginx configuration:
proxy_cache_key "$scheme$host$request_uri";
Example Varnish VCL configuration:
sub vcl_hash {
hash_data(req.http.host);
hash_data(req.url);
return (lookup);
}Additionally, purge any existing poisoned cache entries after implementing these fixes.