- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Cache poisoning, also known as DNS poisoning and DNS cache spoofing, involves corrupting an Internet server's Domain Name System table by replacing a valid Internet address with that of another, rogue address. When a web user looks for the affected page, the request is redirected to a different address where a worm, spyware, web browser hijacking program, DNS spoofing tool, or other malware can be downloaded to the user's computer from the rogue location.
A cache poisoning attack is possible because of HTTP Response Splitting or Improper Input Handling on Host Headers which abuse flaws in the web application. These methods involve sending multiple host headers to the vulnerable DNS Server.
Apache servers will concatenate all host headers present, whereas Varnish will use the first host header and Nginx will us the last host header. Therefore it is possible to ensure the Host Header you want cached is put in the correct position to allow for this exploit.
Cache poisoning can be transmitted within spam email messages, images, and banner ads, increasing the rate at which rogue programs are spread. If a response is cached in a shared web cache commonly found in proxy servers, all users of that cache will continue to receive the malicious content until the cache entry is purged. The same is true if the response is cached in an individual user’s browser.