Web Cache Poisoning might sound like something straight out of a security conference talk, but it’s a real threat that can cause serious headaches. Recently, a vulnerability was found on the Shopify theme store website, https://themes.shopify.com, where an attacker could poison the cache by manipulating the Host header.
What Is Web Cache Poisoning?
Letβs break it down:
- Web Caching: Websites use caching to store copies of web pages or resources, so they can be delivered quickly to users without regenerating them each time.
- The Problem: If an attacker can trick the cache into storing a manipulated version of a page, users might end up seeing this tampered content instead of what they were supposed to get.
- Host Header Exploit: The Host header in an HTTP request tells the server which domain it should respond to. By altering this header, the attacker can force the server to cache a version of the website that includes a fake port number, leading to a dysfunctional site experience.
How the Attack Works
Hereβs how the attack was executed:
The Attack: Step-by-Step Breakdown
In this attack, the attacker used a terminal to send repeated requests to https://themes.shopify.com by running the following command:
while true; do curl -ik "https://themes.shopify.com:443/?g4mm4=hitthecache" -H "Host: themes.shopify.com:1337" | grep ":1337"; sleep 0; echo 1; done
This command repeatedly requests the page with an invalid Host header (in this case, using port 1337) and checks if the response includes this poisoned Host header.
If the server and caching system do not properly validate the Host header, they might store this incorrect version in the cache. This means that when other users request the page, they could be served the corrupted version instead of the proper one.
To verify if the cache had been poisoned, the attacker would run the following command in another terminal:
while true; do curl -ik "https://themes.shopify.com:443/" | grep ":1337"; done
This command checks if the corrupted Host header (using port 1337) is being served to users.
As a result, users visiting https://themes.shopify.com might now see broken images, missing styles, or incorrect links because the website is being served with a port that doesn’t actually exist (e.g., themes.shopify.com:1337). This can cause the site to fail to load resources correctly, leading to a degraded user experience.
The Technical Implications
This attack exploits a misconfiguration in how the web server and caching system handle HTTP headers. If the server does not properly validate or sanitize the Host header, it can lead to the entire cache being poisoned. The result is that every user who accesses the site during the period of poisoning receives a broken or manipulated version of the website.
Defense Against Web Cache Poisoning
To protect against this kind of attack, it is essential to:
- Validate Host Headers: Ensure that the server only accepts valid Host headers corresponding to the domain name.
- Sanitize Inputs: Carefully check and sanitize all inputs, including HTTP headers, to prevent malicious data from being processed.
- Configure Cache Properly: Ensure the caching mechanism is correctly configured to prevent it from storing poisoned or invalid data.
Conclusion
Web Cache Poisoning via the Host header is a serious issue because it can degrade the user experience and disrupt the normal operation of a website. For site administrators and developers, it highlights the importance of securing caching mechanisms to prevent such vulnerabilities.
Author of the Finding
This is an article I wrote about the following bug bounty – https://hackerone.com/reports/1096609 – reported by g4mm4 (https://hackerone.com/g4mm4?type=user). Bounty: $2,900.