A team of German security researchers has developed a new class of Web cache toxic attacks that could make victim services unattainable.
In addition to providing security against denial-of-service attacks (DoS), the cache was designed to lower the amount of network traffic by reusing HTTP answers and helping applications to scale.
A new attack involving poisoning the cache with server-generated error page and then serving inappropriate content, has been found by researchers from the University of Applied Sciences Cologne and the University of Hamburg, Germany.
The attacks against a single cache proxy product and five CDN services (including popular solutions that cach high-quality websites–Akamai, CDN77, Fastly, Cloudflare, CloudFront and Varnish, make it possible for error pages to be cached, researchers explain in the whitepaper (PDF).
“The effects are serious because a simple request is enough to paralyze a victim website in a large region. The knowledge of the recently launched CPDoS assault is very important for researchers to gain a full understanding of the causes and countermeasures and for practitioners to implement robust and secure distributed systems, “the researchers say.
The attack uses a general problem in layered structures, where variations in perception arise when the same message is run in sequence. In general, the problem is that the cacheable resource HTTP request created by the attacker contains inaccurate fields that, while being ignored by the caching system, make an error when the server comes into play.
Therefore, an error page is sent in the intermediate cache from the source server, indicating that the cache is polluted with the error page created by the server. The new class has been dubbed the “Cache-Poisoned Denial-of-Service (CPDoS)” because the useless content makes victim services unattainable.
During the study the researchers studied empirically how 15 web caching solutions available are compatible with HTTP requests containing inaccurate fields and the caching of the resulting error pages and found vulnerable services that have already been alerted.
This attack exploits the semantic gap in two HTTP engines, one in a cache shared and one in a server source. In this context, the deployed caching system concentrates more on processing requests than on the original server, so that the attacker can insert dangerous headers into the request.
When transmitted without alteration to the original server, the application runs through the cache without any difficulty, but processing on the server leads to an error. The database thus responds with an error that is then saved andre-used for repeated requests by the cache.
This results in each user who requests a GET to receive a stored error message for the infected URL. The whitepaper says a simple request, below the web application firewall detection threshold and DoS protection, is sufficient to replace the genuine content of the cache with an error page.
Harmless CPDoS can make images or design resources unavailable, thus impairing the visual appearance of applications. More serious attacks may cause entire web applications to become inaccessible. CPDoS attacks could also block cache-distributed patches or firmware updates.
“Attackers may also deactivate major security alerts or messages on key mission websites such as online banking or government official websites. Imagine for example the scenario in which a CPDoS attack prevents the corresponding client from accessing phishing emails or natural disasters warnings, “say the researchers.
An attacker can do this without the possibility of detection, but with a high likelihood of success, which means that CPDoS is highly risky, the researchers say.
The researchers present three variants of the overall CPDoS attack in their paper: the HTTP Method Override (HMO)–a malicious client that generates a GET petition, including an HTTP overriding header, the malicious client sends a GET request, including a header that is bigger than the original database limit but smaller than that of the client cache, and the HTTP Meta Chara.
Experiments also exposed the susceptibility to CPDoS attacks of eight Defense Department websites, more than a dozen of the top 500 Alexa pages and million URLs stored in the HTTP Archive.
“According to our studies 11% of the DoD websites are vulnerable to CPDoS attacks, 30% of the Alexa Top 500 websites and 16% of URLs in the analysed HTTP archive data set. The cached contents often include mission critical firmware and upgrade files, “the researchers note.
Some of the weak tools are ethereum.org, marines.com, and nasa.gov, since CloudFront has been used as a CDN. On those scripts, style sheets, pictures and even dynamic contents are blocked.
In February 2019, the researchers reported the vulnerabilities of vendors and cache providers for HTTP implementations (including AWS, Microsoft, Play 1, and Flask) and worked closely with them to remove found hazards.
While the most straightforward and efficient counter-measure against CPDoS attacks appears to be deleting error pages from cache, this may have an impact on performance in many instances.