Cache poisoning is damaging of cached content with fake or malicious data. This kind of cybercrime takes place here and there regardless of type of web hosting. How is it performed, and are there any ways of prevention?
Caching of web content boost performance at both sides: server and the user. It is widely used in CDN (content deliver networks) to accelerate loading of data. Unluckily, the HTTP protocol that plays part in the mechanism of caching controls integrity on the server side only. Lack of authentication (especially in DNS software) gives hackers an opportunity to spoil the cache.
As soon as caching is completed, the visitor who gets access to the spoilt cache is sent illegitimate data, or is routed to an IP address that is under hacker’s control. That continues until the cache is removed or purges. To prevent cache poisoning, special technologies like SRI and firewalls used in CDN service can be exploited.
How it works
Cache poisoning can be performed several ways. One method presupposes taking over the origin server (for a few minutes or hours) so that to alter the web content and have it cached for a long period of time.
According to another method, the intermediate web cache server can be attacked by interfering into the synchronization of the HTTP requests and responses between the cache and the origin server. In this case, a hacker may split HTTP response and sent the malicious data to the web application via an HTTP request. After that, such content gets into HTTP response, and sent to visitors without validation (most often).
Generally, approaches to cache poisoning are the following:
- The hacker searches for flaws in the code and then inserts illegitimate headers into the HTTP header.
- The attacker removes legitimate content from the cache server.
- The hacker sends a malicious request or data (for instance, falsified DNS response) to the cache server.
- The spoilt content is stored in the cache.
Examples of cache poisoning
Typically, when DNS poisoning takes place, hackers change the genuine IP address in DNS cache with the address they use. Users of the attacked server are in the dark about the situation, and when they are served from this cache, they are redirected to the attacker’s malicious web-site. This may be either some malicious download web-site, or a web-site that steals personal information.
Cache poisoning does a lot of damage to both users and the web-sites that they try to access. It can literally ruin someone’s business making the infrastructure breakdown and the brand image discredited. Thus, it is important to make sure that the methods of security are strong enough. You can add to the security of DNS by using DNSSEC tool, limiting the recursive DNS queries and checking the data stored and sent to visitors. If you opt for a CDN service, make sure that enough security options are provided together with it.