HTTP-only attack limits the scope, but nonetheless poses a dangerous threat

Standard HTTP ‘permanent redirect’ (301) responses could be used to poison browser caches, security researcher Piotr Duszyński has shown.

The vulnerability relies on running a man in the middle (MITM) attack and only works on HTTP resources, limiting the scope from mischief. If successfully carried out, however, the impact is severe.

Victims who use an insecure HTTP connection will be left with a near-permanent or at least extended browser security compromise of their machine.

The semi-permanence arises because the HTTP 301 response will be cached indefinitely by the browser, unless dictated otherwise by the ‘Cache-Control’ header.

The latest cache poisoning-style attack might be combined with Client Domain Hooking, an earlier web security attack.

Client Domain Hooking is a technique to force an application to “communicate only through a chosen attacker-controlled domain through a single intercepted HTTP request, and without breaking applications functionality”, Duszyński explains (PDF). This technique was originally implemented in the ‘Modlishka’ reverse proxy.

Duszyński notes that there are a number of limitations to HTTP 301 Cache Poisoning.

For one thing, the attack only works whilst non-TLS HTTP traffic can be intercepted by an attacker (e.g. on an insecure WIFI network).

Secondly, the hack is only possible for non-TLS URLs/resources that haven’t been previously cached by the browser. Any app using TLS traffic only is immune.

But if successfully carried out a hacker could use the attack to misdirect users towards malign sites under their control, rather than a benign site that a victim is trying to visit.

“Once HTTP 301 Cache is poisoned it will permanently point chosen non-TLS URLs to an attacker-controlled endpoint, taking priority over DNS resolved queries for the related resource,” Duszyński explains.

“This means that through a standard MITM attack, an attacker can set up arbitrary cache entries for non-TLS URLs by intercepting a single clear-text HTTP request.

“These entries will always force the browser to connect to an attacker-controlled endpoint, regardless of current network (secure or in-secure) location.”


RELATED What’s your poison? New attack method turns the tables on web caching