New cache poisoning attack affects Cloudflare, Cloudfront, Fastly, Akamai, and CDN77

A group of web application security specialists from the Cologne University, Germany, published a report describing a new form of cyberattack that abuses the cache to show victims fake error pages instead of legitimate websites.

“When a user returns to a previously visited website, they typically receive a cached version of the site using a content delivery network (CDN), such as Cloudfare,” the experts mention. During the attack, dubbed Cache Poisoning Denial of Service (CPDoS), hackers visit a website to generate a web page request from the CDN. However, the request contains a header with one of the following three options:

  • An HTTP Header Oversize (HHO)
  • An HTTP Meta Character (HMC)
  • An HTTP Method Override (HMO)

According to web application security experts, any of these scenarios will produce a fail on the web server. The error page will be cached on the CDN (this is a normal process), so it will end up being delivered to users. “This error page will be sent to other CDN nodes as they are refreshed, so globally users of the affected site will face with the error page, simulating a denial of service“, the experts mention.

Although there is no true denial-of-service condition, this attack could affect a website’s operations, reputation, and even revenue level. 

The report raised the concerns of some website administrators, although it is necessary to take things easy and implement certain measures to prevent this condition. The main prevention measure is to disable caching of any HTTP error page, an option enabled by default on almost any CDN service. This way, HTTP error pages will not be replicated through content distribution.

In addition, web application security experts recommend that website administrators verify that their CDN provider conforms to standard caching protocols, as well as limiting some cache features. Modifying caching settings to show only a few error pages (such as 404 Not Found and 400 Bad Request error pages) will reduce the impact of such attacks.

Specialists reported in a timely manner to the affected companies; thanks to these reports, companies like Amazon and Microsoft have started implementing some steps to fix these errors.

Other affected companies, such as Flask, have not commented on the reports, so it remains to be seen whether users of their services manage to mitigate the risk of exploitation. International Institute of Cyber Security (IICS) web application security experts recommend website administrators who still have doubts about this attack and their mitigations go directly to the website created to publish all the details about this condition.