Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

  1. we must work out how to elicit a response from back-end that contains some kind of dangerous payload.
  2. Need to make sure that their response is cached and subsequently served to the intended victims.

More research:

Web Cache Entanglement: Novel Pathways to Poisoning

https://portswigger.net/research/practical-web-cache-poisoning

How Web Cache work

If a server sends out a new response to every single HTTP request separately, this would likely overload the server, resulting in latency issues and a poor user experience, especially during busy periods. Caching is primarily a means of reducing such issues.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/76666486-2bdc-43b4-a016-4f36ac2e4c71/Untitled.png

Cached Keys

the CDN (Content Delivery Network) will decide okay, these two have requested the same page. and for the same host. therefore, they are equivalent (Highlighted in yellow)

GET /blog/post.php?mobile=1 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 … Firefox/57.0
Cookie: language=pl;
Connection: close

GET /blog/post.php?mobile=1 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 … Firefox/57.0
Cookie: language=en;
Connection: close

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/58226bdd-41f0-4975-b46d-d7220548eb08/Untitled.png

Attacking

Practical Web Cache Poisoning