Cache Poisoning
What is Cache Poisoning?
Cache PoisoningAn attack that stores a malicious response in a shared cache so that other users later receive the attacker's content.
Cache poisoning abuses a cache layer — CDN, reverse proxy, browser, or DNS resolver — to make it persist content controlled by an attacker. Web cache poisoning typically exploits unkeyed input: a header or parameter that influences the response but is not included in the cache key, so the poisoned response is served to subsequent visitors. Variants include DNS cache poisoning, application-level cache poisoning, and cache deception. Impact ranges from defacement and XSS distribution to credential theft and bypass of authentication. Defences: include relevant inputs in the cache key, normalise requests at the edge, restrict cacheable responses to safe content types, and audit Vary and Cache-Control headers.
● Examples
- 01
Poisoning a CDN by sending an X-Forwarded-Host header that the app reflects into a script tag.
- 02
Caching a 302 redirect with attacker-controlled Location for all visitors.
● Frequently asked questions
What is Cache Poisoning?
An attack that stores a malicious response in a shared cache so that other users later receive the attacker's content. It belongs to the Vulnerabilities category of cybersecurity.
What does Cache Poisoning mean?
An attack that stores a malicious response in a shared cache so that other users later receive the attacker's content.
How do you defend against Cache Poisoning?
Defences for Cache Poisoning typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cache Poisoning?
Common alternative names include: Web cache poisoning, Response poisoning.