| Name |
Cache Poisoning |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value. |
| Prerequisites |
The attacker must be able to modify the value stored in a cache to match a desired value. The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify and explore caches] Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries. |
- Run tools that check available entries in the cache.
|
| 2 |
Experiment |
[Cause specific data to be cached] An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries. |
- Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
|
| 3 |
Exploit |
[Redirect users to malicious website] As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries. |
- Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
- Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
|
|
| Solutions | Configuration: Disable client side caching. Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-345 |
Insufficient Verification of Data Authenticity |
| CWE-346 |
Origin Validation Error |
| CWE-348 |
Use of Less Trusted Source |
| CWE-349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-161 |
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account. |
|
| Taxonomy: OWASP Attacks |
|
Entry ID
|
Entry Name
|
| Link |
Cache Poisoning |
|