Cache Key Manipulation

Cache Key Manipulation refers to techniques that exploit how caches construct their keys to achieve cache poisoning or cache deception attacks. Understanding cache key composition is essential for both attacking and defending web caches.

Cache Key Components

A cache key typically consists of some combination of:

• Request method (GET, POST)
• Host header
• URL path
• Query string (all or specific parameters)
• Selected headers
• Cookies (sometimes)

Manipulation Techniques

Unkeyed Headers

# If X-Forwarded-Host is unkeyed but reflected:
GET /page HTTP/1.1
Host: example.com
X-Forwarded-Host: attacker.com

# Response contains attacker.com but cache key is just /page

Parameter Pollution

# If only 'page' is keyed but 'callback' affects response:
GET /api?page=1&callback=evil HTTP/1.1

# Cache key: /api?page=1
# Response contains: evil(...)

Fat GET Requests

# Some caches ignore body on GET, but app processes it:
GET /search?q=normal HTTP/1.1
Content-Type: application/x-www-form-urlencoded

q=malicious

Cache Key Normalization Issues

• Port normalization: :80 vs implicit port
• Case sensitivity: /Page vs /page
• Encoding: %2f vs /
• Path normalization: /./page vs /page

See Also

• Web Cache Poisoning
• Web Cache Deception