---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Web Cache Poisoning Vulnerabilities'
version: '1.0'
number: '2019-001'
date: 'January 23, 2019'
---

_History:_

* _23/01/2019 --- v1.0 -- Initial publication_

# Summary

Web cache poisoning has long been considered a _theoretical_ threat. However, already published research describes practical examples of this type of attack [1]. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.

# Technical Details

Caching improves web-page load times by reducing latency while also reducing the load on application server. It can be implemented at different levels: specific software, offered by content delivery networks (CDN), or built-in into web applications and frameworks. All of these are susceptible to cache poisoning.

Web cache poisoning is a specific type of a more generic family of cache poisoning vulnerabilities [2]. The impact of a maliciously constructed response from a webserver can be magnified if it is cached and served to multiple users.  The published research [1] presents practical ways of cache poisoning by using **unkeyed inputs**. Unkeyed inputs are parts of a request that a cache does not use for _mapping_ the caches.

# Products Affected

Cache servers and services, web applications and frameworks.

# Recommendations

- Disable caching, if possible from operational point of view. In some cases caching is enabled by default – not necessarily needed for performance reasons.
- If disabling the cache is not possible, restrict caching to purely static responses.
- Audit every URL of an application with `Param Miner` to detect and disable unkeyed inputs. `Param Miner` is a `Burp Suite` extension used to detect unkeyed inputs [3].

# References

[1] <https://portswigger.net/blog/practical-web-cache-poisoning>

[2] <https://www.owasp.org/index.php/Cache_Poisoning>

[3] <https://github.com/PortSwigger/param-miner>