Cache poisoning is an attack vector that exploits the way domain name system (DNS) clients and web servers improve performance by saving old responses for a specified period of time in a temporary storage area called cache.
Attackers can corrupt cache by replacing legitimately saved data in cache with compromised data that contains malicious code. When the compromised data is sent to the requesting client, the malicious code will redirect the client or infect it with malware that can collect information or initiate another attack.
As of this writing, there are two major types of cache poisoning attacks: DNS poisoning and web cache poisoning.
How DNS cache poisoning works
DNS cache poisoning is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or other malware can be downloaded to the user's computer from the rogue location.
When a DNS client needs to access data, it first checks the cache. If the requested data is found in a cache, it's called a cache hit. If the requested data isn't found in the cache -- a situation known as a cache miss -- it is pulled from main memory and copied into the cache. How this is done, and what data is ejected from the cache to make room for the new data, depends on the caching algorithm or policies the system uses.
If attackers are able to spoof a response for a DNS request, they may be able to contaminate the DNS cache with an incorrect record. By poisoning the caches of DNS clients and servers, an attacker can redirect traffic to malicious hosts, which can lead to further compromise.
Cache poisoning is particularly dangerous when the targets are well-known and trusted sites, such as those to which browsers are pointed when automatic virus-definition updates are performed.
DNS cache poisoning is related to URL poisoning.
How web cache poisoning works
In the past, web cache poisoning, was deemed too complex to be a real threat. However, in a Black Hat 2018 session entitled "Practical Web Cache Poisoning: Redefining 'Unexploitable,'" James Kettle, head of research at PortSwigger Web Security, demonstrated how unkeyed inputs can be abused to take control of web caches and manipulate platforms such as Drupal and Mozilla's Firefox browser.
To prevent websites from having their caches used as exploit delivery systems, web admins need to properly set the HTTP response header configuration files on their servers. Use the Vary HTTP response header to tell any HTTP cache which parts of the request header -- other than the path and the Host header -- to include when trying to find the right object.
Web developers should also avoid using input from HTTP request headers and cookies where possible and validate and cleanse any inputs they use. They should also use the Param Miner extension to audit their applications to see if there are any unkeyed inputs that have been introduced by the frameworks or the third-party components they use and ensure they are handled properly.