Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Web Cache Poisoning via JSONP and UTM_ parameter - Vulnerability Database

Web Cache Poisoning via JSONP and UTM_ parameter

Description

This vulnerability occurs when a web application's caching layer can be manipulated to store malicious responses by exploiting parameter handling inconsistencies. Attackers exploit UTM_* parameters (commonly used for marketing tracking) to inject duplicate request parameters that bypass cache key calculations but are still processed by the backend application. When the poisoned response is cached, it is subsequently served to legitimate users, enabling various client-side attacks.

Remediation

Implement the following measures to prevent cache poisoning attacks:

1. Normalize Parameter Parsing: Ensure consistent parameter handling across all application layers (cache, web server, application). Reject or sanitize requests containing duplicate parameters or non-standard delimiters.

2. Include Critical Parameters in Cache Keys: Configure your caching layer to include UTM_* parameters and all user-controllable input in cache key calculations. This prevents parameter cloaking attacks.

3. Implement Strict Parameter Validation:

// Example: Reject requests with duplicate parameters
if (request.getParameterMap().get("callback").length > 1) {
    return new Response(400, "Invalid request: duplicate parameters");
}

// Validate and sanitize UTM parameters
String utmSource = sanitizeInput(request.getParameter("utm_source"));

4. Use Cache-Control Headers: Set appropriate Vary headers to ensure the cache differentiates responses based on relevant request characteristics.

5. Disable JSONP if Unused: If JSONP functionality is not required, disable it entirely and use CORS for cross-origin requests instead.

6. Regular Security Testing: Perform cache poisoning tests as part of your security assessment process to identify parameter handling inconsistencies.

References

Web Cache Entanglement: Novel Pathways to Poisoning

Related Vulnerabilities

Trace.axd Detected High
Common tags: Configuration
Web Cache Poisoning through HTTP/2 pseudo-headers High
Common tags: Configuration
qdPM Information Disclosure High
Common tags: Configuration
Python Debugger Unauthorized Access Vulnerability High
Common tags: Configuration
Node.js Inspector Unauthorized Access Vulnerability High
Common tags: Configuration

Severity

High

Classification

CWE-44
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Configuration