Web Cache Poisoning via semicolon query separator
Description
This vulnerability occurs when a web application uses a caching system that misinterprets query parameter separators. Attackers can exploit this by using a semicolon (;) instead of the standard ampersand (&) to separate GET parameters. This creates a discrepancy between how the caching proxy and the backend server parse the request, allowing attackers to inject malicious content into cached responses. The poisoned cache entry is then served to legitimate users, enabling various attacks without requiring direct interaction with each victim.
Remediation
Implement the following measures to prevent web cache poisoning via semicolon separators:
1. Normalize query parameter parsing: Configure your web server and application to treat semicolons consistently. Either reject requests containing semicolons in query strings or normalize them to ampersands before processing.
2. Update cache key configuration: Ensure your caching layer includes all relevant parts of the query string in the cache key, regardless of the separator used. Configure the cache to normalize query strings before generating cache keys.
3. Implement strict input validation: Reject or sanitize requests that use non-standard parameter separators:
// Example: Normalize query separators (pseudocode)
if (request.queryString.contains(';')) {
// Either reject the request
return HTTP 400 Bad Request;
// Or normalize the separator
normalizedQuery = request.queryString.replace(';', '&');
request.queryString = normalizedQuery;
}4. Set appropriate cache headers: Use Vary headers and cache-control directives to prevent caching of user-specific or dynamic content that could be exploited.
5. Review caching proxy configuration: Ensure your CDN or reverse proxy is configured to handle query string variations securely and consistently with your application server.