A new attack called ‘CPDoS’ can poison the CDNs to deliver error pages instead of legitimate sites.
Team of researchers from the Technical University of Cologne (TH Koln) have discovered a new cache poisoning attack named ‘Cache-Poisoned Denial of Service (CPDoS)’ that affects Content Delivery Networks (CDNs) via an HTTP request with a malicious header.
The issue affects sites running on content distribution networks (CDNs) services such as Fastly, Amazon CloudFront, CDN77, Fastly, Akamai and Cloudflare.
Content Delivery Networks (CDNs)
CDN is a geographically distributed network of proxy servers and their data centres that deliver pages and other web content with high availability and high performance to the end-users.
Cache poisoning attack
- An attacker sends a simple HTTP request which contains a malicious header targeting a specific victim domain.
- The request processed by the intermediate cache remains invisible.
- The intermediate cache forwards the request to the origin server as it does not store a fresh copy of the targeted resource.
- The HTTP, origin server prompts error because of malicious header it contains.
- The origin server returns with an error message and the error get stored in the cache instead of legitimate content.
- Users trying to obtain the target resource will get an error page in response instead of the original content.
Variants of CPDoS
Attackers can send the malformed request in the following three types,
- HTTP Header Oversize (HHO)
- HTTP Meta character (HMC)
- HTTP Method Override (HMO)
- Caching error pages according to the policies of the HTTP standard.
- Many CDN service providers include control settings in their dashboards, which will help the CDN service not to cache HTTP error pages by default.
- Website owners should be able to secure their servers against any possible abuse with some minimal effort.
- Web Application Firewalls (WAF) to be deployed in front of the cache to block malicious attacks.
“A Web Application Firewalls can also be deployed to mitigate CPDoS attacks. However, WAFs must be placed in front of the cache in order to block malicious content before they reach the origin server. WAFs that are placed in front of the origin server can be exploited to provoke error pages that get cached either,” said researchers.
Researchers have published a demonstration video targeting an application hosted on Amazon CloudFront.
Researchers notified the affected vendors about the issue and some of them has already released patches to fix the issue.
You may be interested in reading: Click2Mail Suffers Data Breach