What’s your poison? New attack method turns the tables on web caching

PortSwigger’s James Kettle has designed a new technique that turns server-side web caches into exploit delivery systems

At this year’s Black Hat USA, James Kettle, head of research at PortSwigger Web Security, will demonstrate how a new web cache poisoning technique enabled him to take control of numerous well-known websites and frameworks, in addition to infrastructure that underpins open-source software giant, Mozilla.

Server-side caching – the process of storing web content and other data at various points along the delivery path – is widely employed as a means to increase website performance and scalability.

While caching can help improve site responsiveness and reduce network costs, these additional levels of storage have resulted in what Kettle calls a “crude patchwork of content delivery networks” – with each additional layer of caching opening the doors to more potential security loopholes.

During his presentation at Black Hat USA, which takes place in Las Vegas on August 4-9, the researcher will illustrate how he was able to use his new web cache poisoning technique to compromise websites by using esoteric web features that turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.

Kettle will explain how the technique handed him control over numerous websites and frameworks, progressing from simple single-request attacks to intricate exploit chains that hijack JavaScript, pivot across cache layers, subvert social media, and misdirect cloud services.

“Unlike previous cache poisoning techniques, this approach doesn’t rely on other vulnerabilities like response splitting, or cache-server quirks that are easily patched away,” he stated. “Instead, it exploits core principles of caching, and as such affects caching solutions indiscriminately.”

According to Kettle, the repercussions of this new attack technique extend beyond websites. “Using this approach, I was able to compromise Mozilla infrastructure and partially hijack a notorious Firefox feature, letting me conduct tens of millions of Firefox browsers as my personal low-fat botnet,” he said.

While the security community will have to wait until the conference for the full, gory details, the message is clear: if you use caching you should be worried.

“The web is getting more and more complex,” Kettle told The Daily Swig. “Although we have made great progress over recent years, for example reducing the prevalence of cross-site request forgery vulnerabilities, we are now making things horrendously complex, with bizarre, convoluted architectures composed of multiple cache layers.”

He added: “Server-side caching is often just a sticking plaster to compensate for the poor performance of backend servers. With so many moving parts, it’s no surprise that things are starting to go wrong.”