CAPEC-141 - Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Penetration
  • Exploitation

Medium level: To overwrite/modify targeted cache

The attacker must be able to modify the value stored in a cache to match a desired value.

The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.

Step 1 - Identify and explore caches

Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries..

Tecnique ID: 1 - Environment(s) env-All

Run tools that check available entries in the cache.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Entries do not exist in the cache.

Indicator ID: 2 - Environment(s) env-All

Type: Positive

Applications or servers are not updated to new versions.

Indicator ID: 3 - Environment(s) env-Web

Type: Negative

Entries exist in the cache.


Security Control ID: 1

Type: Detective

Monitor network scans and examine system logs. The scans may be from unknown local IP or MAC address.


Outcome ID: 1

Type: Success

A list of server's information. No target entry found in the cache.

Outcome ID: 2

Type: Success

A list of browser's information. No target entry found in the cache.

Outcome ID: 3

Type: Failure

The results show target entries in the cache.



Step 1 - Cause specific data to be cached

An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries..

Tecnique ID: 1 - Environment(s) env-Web

Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

Indicator ID: 1 - Environment(s) env-All

Type: Positive

Request that the attacker intercepts includes transaction ID.

Indicator ID: 2 - Environment(s) env-All

Type: Positive

The attacker successfully sends response before authorized server.

Indicator ID: 3 - Environment(s) env-Web env-CommProtocol env-ClientServer

Type: Inconclusive

Transaction ID has been randomized.

Indicator ID: 4 - Environment(s) env-All

Type: Inconclusive

The application or server cache has recorded correct table entry. In this case, the attacker needs to figure out a way to overwrite table entries to succeed

Indicator ID: 5 - Environment(s) env-All

Type: Inconclusive

The attacker fails to send responses before authorized responses. In this case, the attacker needs to figure out a way to overwrite table entries to succeed


Security Control ID: 1

Type: Detective

Monitor log file and see a large number of responses sent from the same host. This host may be manipulated by attacker.


Outcome ID: 1

Type: Success

Any request of the targeted form results in the seeded response.

Outcome ID: 2

Type: Failure

Any request of the targeted form results in the correct response and not the seeded response.



Step 1 - Redirect users to malicious website

As the attacker succeeds in exploiting the vulnerability, he is able to manipulate and interpose malicious response data to targeted victim queries..

Tecnique ID: 1 - Environment(s) env-Web

Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).

Tecnique ID: 2 - Environment(s) env-Web

Man-in-the-Middle intercepts secure communication between two parties.

Security Control ID: 1

Type: Preventative

Be less trusting of the information passed to them by other parties, and ignoring any records passed back which are not directly relevant to the query.


Outcome ID: 1

Type: Success

Any request of the targeted form results in the seeded response.

Outcome ID: 2

Type: Failure

Any request of the targeted form results in the correct response and not the seeded response.



Configuration: Disable client side caching.

Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.