HTTP Cache Poisoning Advisory
On January 14, 2020, CERT CC published an advisory warning of the potential use of Content Delivery Networks (CDNs) to cache malicious traffic. Akamai acknowledges this issue and has been aware of similar research in the past. This advisory highlights a reflected XSS vulnerability in origin web applications that exists whether or not a CDN is involved, exacerbated by having responses cached. Site operators should be aware that HTTP headers are a potential injection vector for malicious payloads. Header values should be considered untrusted input and validated before use.
This vulnerability stems from an origin web application parsing untrusted input supplied in an HTTP header and reflecting that value in the response, without adequate input validation or output sanitization. The response is then cached by a CDN. These header values can be crafted by the attacker to include malicious payloads, which will then be stored in the cache and sent when subsequent requests are made for the same content. In essence, this is a traditional reflected XSS attack, elevated to a stored XSS due to caching by CDNs.
This research highlights multiple vulnerable headers that can be used to reflect malicious content and places the burden of sanitizing the response on CDNs. However, it is the responsibility of the origin servers to validate input, sanitize output, and prevent such traffic from being generated. This attack works because the origin server was vulnerable to misuse, with or without a CDN being involved in the traffic.
CDNs cannot meaningfully sanitize these headers by default, since mutating header values according to an arbitrary model of what is valid or invalid may mismatch the expectations of other systems in the processing stream, or the origin server. The header values highlighted by this advisory are RFC-compliant, and any ordinary web application needs to properly process this traffic, regardless of CDN involvement.
Akamai can work with customers on a case by case basis to create appropriate customized controls, but is unable to globally make changes to traffic in order to prevent this type of vulnerability.
What can customers do?
This report highlights a vulnerability in web applications in general. It is a helpful reminder to site operators that HTTP headers are an injection vector that must be validated prior to being parsed. Akamai can work with site operators to help create mitigation strategies specific to their systems.