Web cache poisoning attacks have been discovered that could be used to deny users access to resources delivered through a content delivery network (CDN). Named Cache-Poisoned Denial of Service (CPDoS), the new method has several variations and works by sending an HTTP request with a malformed header. CDNs have the property of reducing the traffic footprint on origin servers using their services by caching resources that are requested frequently by clients. CPDoS works at the level of the intermediate cache system of a CDN, which receives and stores an error page caused by a malformed HTTP request header and works as follows.
There are three variations of the CPDoS attack:
With the HHO type of CPDoS attack, a threat actor takes advantage of the size limit intermediary systems and web servers set for an HTTP request header.
If the cache system accepts a request header size larger than what is defined for the origin server, the attacker can craft a request with an oversized request key or with multiple headers.
HTTP Meta Character (HMC), the second variation of the CPDoS attack is similar to HHO but leverages a harmful meta character. These are any “control characters such as the break/carriage return (‘\n)’, line feed (‘\r’) or bell (‘\a’).” Again, the cache system does its job and forwards the request as it is received from the client. As it reaches the origin server, it may be classified as malicious and generates an error message that gets cached and presented to the client instead of the requested resource.
The method override attack (HMO), a third variation of the CPDoS, profits from intermediary systems (e.g. proxies, load balancers, caches, firewalls) supporting only the GET and POST HTTP request methods.
This translates into blocking other HTTP requests methods. A web framework that provides instructions for the web app to replace the supported HTTP method in the header allows bypassing the security policy and delivers a different one, such as DELETE.The consequence is that the error message is cached and served for subsequent valid GET requests for the /index.html resource.
The table below shows which combination of web caching systems and HTTP implementation is affected by this class of denial of service.
Amazon’s security team acknowledged the weaknesses in CloudFront and stopped caching error pages with the status code ‘400 Bad Request’ by default
Microsoft updated IIS Server with a fix and published details about the vulnerability (CVE-2019-0941) in June. Play Framework also patched their product against the HMO method in versions 1.5.3 and 1.4.6. Researchers have not heard back from most of the other vendors.