{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2019-001.pdf"
    },
    "title": "Web Cache Poisoning Vulnerabilities -",
    "serial_number": "2019-001",
    "publish_date": "24-01-2019 08:15:00",
    "description": "Web cache poisoning has long been considered a _theoretical_ threat. However, already published research describes practical examples of this type of attack. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.",
    "url_title": "2019-001",
    "content_markdown": "---\ntitle: 'Web Cache Poisoning Vulnerabilities'\nversion: '1.0'\nnumber: '2019-001'\ndate: 'January 23, 2019'\n---\n\n_History:_\n\n* _23/01/2019 --- v1.0 -- Initial publication_\n\n# Summary\n\nWeb cache poisoning has long been considered a _theoretical_ threat. However, already published research describes practical examples of this type of attack [1]. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.\n\n# Technical Details\n\nCaching improves web-page load times by reducing latency while also reducing the load on application server. It can be implemented at different levels: specific software, offered by content delivery networks (CDN), or built-in into web applications and frameworks. All of these are susceptible to cache poisoning.\n\nWeb cache poisoning is a specific type of a more generic family of cache poisoning vulnerabilities [2]. The impact of a maliciously constructed response from a webserver can be magnified if it is cached and served to multiple users.  The published research [1] presents practical ways of cache poisoning by using **unkeyed inputs**. Unkeyed inputs are parts of a request that a cache does not use for _mapping_ the caches.\n\n# Products Affected\n\nCache servers and services, web applications and frameworks.\n\n# Recommendations\n\n- Disable caching, if possible from operational point of view. In some cases caching is enabled by default \u2013 not necessarily needed for performance reasons.\n- If disabling the cache is not possible, restrict caching to purely static responses.\n- Audit every URL of an application with `Param Miner` to detect and disable unkeyed inputs. `Param Miner` is a `Burp Suite` extension used to detect unkeyed inputs [3].\n\n# References\n\n[1] <https://portswigger.net/blog/practical-web-cache-poisoning>\n\n[2] <https://www.owasp.org/index.php/Cache_Poisoning>\n\n[3] <https://github.com/PortSwigger/param-miner>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>23/01/2019 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Web cache poisoning has long been considered a <em>theoretical</em> threat. However, already published research describes practical examples of this type of attack [1]. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.</p><h2 id=\"technical-details\">Technical Details</h2><p>Caching improves web-page load times by reducing latency while also reducing the load on application server. It can be implemented at different levels: specific software, offered by content delivery networks (CDN), or built-in into web applications and frameworks. All of these are susceptible to cache poisoning.</p><p>Web cache poisoning is a specific type of a more generic family of cache poisoning vulnerabilities [2]. The impact of a maliciously constructed response from a webserver can be magnified if it is cached and served to multiple users. The published research [1] presents practical ways of cache poisoning by using <strong>unkeyed inputs</strong>. Unkeyed inputs are parts of a request that a cache does not use for <em>mapping</em> the caches.</p><h2 id=\"products-affected\">Products Affected</h2><p>Cache servers and services, web applications and frameworks.</p><h2 id=\"recommendations\">Recommendations</h2><ul><li>Disable caching, if possible from operational point of view. In some cases caching is enabled by default \u2013 not necessarily needed for performance reasons.</li><li>If disabling the cache is not possible, restrict caching to purely static responses.</li><li>Audit every URL of an application with <code>Param Miner</code> to detect and disable unkeyed inputs. <code>Param Miner</code> is a <code>Burp Suite</code> extension used to detect unkeyed inputs [3].</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portswigger.net/blog/practical-web-cache-poisoning\">https://portswigger.net/blog/practical-web-cache-poisoning</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.owasp.org/index.php/Cache_Poisoning\">https://www.owasp.org/index.php/Cache_Poisoning</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/PortSwigger/param-miner\">https://github.com/PortSwigger/param-miner</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}