Internet's Invisible Enemy: Detecting and Measuring Web Cache Poisoning in the Wild

Web cache poisoning (WCP) has posed significant threats to Internet security by causing the cache server to deliver malicious responses to innocent users. This results in widespread denial of access to website resources and potential injection of harmful payloads. However, prior works on WCP vulnerability have been fragmented and conducted in a case-by-case form, lacking a systematic analysis of the threat landscape. In this paper, we fill this research gap by conducting a systematic evaluation of WCP vulnerabilities at scale. We propose HCache, a novel testing methodology to facilitates the widespread identification of WCP vulnerabilities. We evaluated our methodology against Tranco Top 1000 domains and their subdomains, and found that over 1,000 websites across 172 domains, representing 17% of the evaluated domains, are vulnerable to WCP. In particular, we have identified 7 new attack vectors stemming from previously unexplored caching headers. We have responsibly disclosed the vulnerabilities to the affected websites and received acknowledgements and bug bounties from world-famous companies, such as Alibaba, Adobe, Huawei, and Microsoft.