← Lessons

quiz vs the machine

Platinum1720

Security

Web Cache Poisoning

Tricking a shared cache into storing and serving a malicious response.

5 min read · advanced · beat Platinum to climb

The Attack

Web cache poisoning lets an attacker store a harmful response in a shared cache so it is served to many later visitors. The attacker finds an unkeyed input that influences the response but is ignored when the cache builds its key.

Why It Works

  • A cache decides reuse from a cache key, usually the path and a few headers.
  • If a header like an X Forwarded Host changes the response but is not part of the key, one poisoned request taints the cached copy.
  • Every subsequent user then receives the attacker controlled content.

Defenses

  • Include every input that affects the response in the cache key, or strip unkeyed inputs before processing.
  • Avoid reflecting request headers into responses.
  • Use the Vary header correctly so distinct inputs map to distinct cache entries.

Key idea

Cache poisoning exploits inputs that shape a response but are absent from the cache key, so key on every influencing input or strip it entirely.

Check yourself

Answer to earn rating on the learn ladder.

1. What is an unkeyed input in cache poisoning?

2. Which defense directly addresses cache poisoning?