Caching web content improves performance on both the server and client side. Unfortunately, the HTTP protocol used in the caching mechanism only performs integrity checks on the server side. This lack of authentication, including flaws in web applications such as DNS software, gives attackers an opportunity to “poison” the cache respiratory.
Once cache poisoning is complete, users accessing the poisoned cache are served illegitimate content, or routed to an IP address controlled by the attacker. This continues until the poisoned cache entry is purged or removed. To prevent cache poisoning from happening in the first place, new integrity-checking technology like SRI can be used.
Note: The illustration above is an example of DNS cache poisoning.
How Cache Poisoning Works
There are different approaches to cache poisoning. One method involves attacking the intermediate web cache by taking over the origin server temporarily, then serving compromised content marked to be cached for an extended period of time.
The other method involves attacking the intermediate web cache server by disrupting the synchronization of the HTTP request and response streams between the origin server and web cache. Here the attacker may use HTTP response splitting to pass malicious content to the vulnerable web application, mostly through an HTTP request. The content is then included in an HTTP response header, usually sent to the user without validation.
A typical approach to cache poisoning works like this:
- The attacker searches for and exploits flaws in the code, allowing them to place illegitimate headers in the HTTP header field
- The attacker flushes out legitimate cached content from the cache server
- The attacker sends a specially crafted request - or malicious data such as a forged DNS response - to the cache server
- The illegitimate data is stored in the cache
Example of Cache Poisoning
An example of cache poisoning is DNS cache poisoning where attackers replace a genuine IP address in the DNS cache with an IP address they control. Unaware of what has happened, users served from this DNS cache are redirected to the attacker’s compromised site. This may be a malware download site or one designed to collect sensitive personal data.
In 2013, the Malaysian Google domains google.my and google.com.my suffered a DNS cache poisoning attack. The attackers had replaced the real domain IPs with their own rogue IPs. Users who tried to access any of the Google domains were redirected to a web page with a message that stated that a Pakistani hacking group was responsible for the attack.
This attack lasted for several hours until the security team from MYNIC, Malaysia’s web addresses administrator, removed the rogue IP entries from the DNS cache.
Cache poisoning makes websites unusable and causes users to lose trust in the businesses that run them. Therefore it’s critical to ensure all cached content is valid and useful to the user. Among commonly-used methods for preventing cache poisoning is adding security to the DNS using tools such as DNSSEC. Other preventive measures include limiting the recursive queries to the DNS and ensuring that only data related to the requested domain is stored and sent to users.