A new cyber attack `` CPDoS '' that forcibly displays error pages instead of correct web pages is discovered



A research team from the Cologne Institute of Technology, a new cyber attack that forces an error page to be displayed instead of a web page distributed on the content delivery network (CDN), `` Cache Poisoned Denial of Service , CPDoS) ”.

CPDoS: Cache Poisoned Denial of Service

https://cpdos.org/

CDN distributes data (cache) of content displayed on the web on servers around the world, enabling users to access data from servers located in close geographical locations. This system speeds up and stabilizes the transfer. The CDN stores the data in a distributed manner on the server, so that the data can be accessed from another server even if the original server is down.

CPDoS is a cyber attack that takes such a CDN system in the opposite direction, and its mechanism is briefly explained in the following six steps.

1: The attacker first sends an HTTP request with a malicious header inserted to the CDN cache server.
2: Next, the cache server sends a request to the origin server to store the latest cache. Then, the original server returns an “error page” to the cache server due to a malicious header.
3: The error page is saved on the cache server instead of the correct page.
4: Confirmed that the error page was saved on the cache server and completed the attack.
5: When a normal user tries to view a web page, the CDN system accesses the cache server instead of the original page.
6: However, since an error page is stored on the cache server instead of the correct web page, the error page is displayed to the user.



CPDoS can block any web resource hosted by a CDN or proxy server. According to the research team, even one malicious HTTP request can block all access to the targeted content.

In this announcement, malicious headers that cause CPDoS are classified as `` HTTP header oversize (HHO) '', `` HTTP metacharacters (HMC) '', and `` HTTP method override (HMO) ''. The

HTTP header oversize (HHO)
The size of the HTTP request header is limited to 'up to 8192 bytes' on most web servers to prevent attacks such as

ReDoS . However, in some CDNs such as Amazon CloudFront, the limit is '20480 bytes', and 'how many bytes to limit' varies depending on the service.

HHO is an attack that exploits the “difference in the number of limit bytes” between the cache server and the original server. For example, an attacker sends a request that is smaller than the cache server limit and larger than the original server limit. In this case, the request meets the cache server limit, and the cache server accepts the request. However, if the cache server sends a request to the original server, the size limit of the original server is caught, and an error page is returned to the cache server.



You can check the following movie to see how CPHOS was demonstrated by HHO. The web page that was initially displayed has been replaced with the “Bad Request” page at the end of the experiment.


HTTP metacharacter (HMC)
HMC is the same technique as HHO. The HMC sends a request that includes

control characters such as “\ n”, “\ r”, and “\ a” that can be determined to be harmful. If the original server determines that these control characters are 'poison', it returns an error page to the cache server.



HTTP method override (HMO)
HTTP servers support HTTP methods such as “GET”, “POST”, “DELETE”, and “PUT”, but proxy servers and cache servers are mostly compatible only with “GET” and “POST”. thing.

An HMO is a request that includes a header that replaces an HTTP method. If you send a 'GET' request written in the header to replace 'POST' along the way, the cache server will treat this request as a 'GET'. However, since it is executed as “POST” on the original server, if an application that can process the “POST” request is not embedded, a 404 Not Found error page is returned.



The following movie is executing the HMO attack. The web page that was labeled 'Welcome to the start page' will not be able to process the 'POST' request and will replace the error page after the attack is executed.


The research team uses a table to show which server and CDN combination is vulnerable to which method of CPDoS. ○ is a combination of measures already taken for CPDoS.



The research team has taken multiple mitigation measures against CPDoS. The first mitigation measure is 'Set CDN not to cache HTTP error pages by default', and the second is 'Add' Cache-Control: no-store 'to the header of each error page' It is a technique called. The research team not only encourages mitigation measures for CDN users, but also appeals to businesses that provide CDN services for the need for countermeasures.

in Web Service,   Security, Posted by darkhorse_log