Web Cache Entanglement: Novel Pathways to Poisoning

Conference:  BlackHat USA 2020



The presentation discusses novel approaches to web cache poisoning, exposing esoteric cache behaviors and weaving them into high impact exploit chains to turn junk vulnerabilities into critical ones.
  • Caches are rarely scrutinized in depth, but they are woven into websites throughout the net and can be exploited
  • The presentation diverges from the basic cache poisoning concept introduced two years ago and focuses on implementation flaws
  • Two broad approaches to novel cache poisoning exploits are discussed
  • Tooling is released to help find these issues and prevent them
  • An anecdote is shared about discovering that none of the cache keys generated from a request on an Akamai system were entirely correct
The presenter discovered that none of the cache keys generated from a request on an Akamai system were entirely correct, leading to exploitable scenarios. This discovery raised important questions about where certain parameters went and why they were not in the cache keys, as well as the presence of a double underscore parameter. These questions led to the development of novel cache poisoning exploits.


Caches are woven into websites throughout the net, discreetly juggling data between users, and yet they are rarely scrutinized in any depth. In this session, I'll show you how to remotely probe through the inner workings of caches to find subtle inconsistencies, and combine these with gadgets to build majestic exploit chains. These flaws pervade all layers of caching - from sprawling CDNs, through caching web servers and frameworks, all the way down to fragment-level internal template caches. I'll demonstrate how misguided transformations, naive normalization, and optimistic assumptions let me perform numerous attacks including persistently poisoning every page on an online newspaper, compromising the administration interface on an internal DoD intelligence website, and disabling Firefox updates globally. As usual, I won't waste your time talking about known techniques. When I presented 'Practical Web Cache Poisoning' in 2018, I targeted a design flaw in the caching concept. This time around I'll dive straight into implementation flaws, ensuring things get much, much messier, resulting in some of the riskiest, most hard-to-find attack techniques yet. Alongside an array of cache-attack techniques, you'll take away methodology and open-source tooling to tackle these technical challenges with confidence.