Security Advisory 2019-001

Release Date:

Web Cache Poisoning Vulnerabilities -



  • 23/01/2019 --- v1.0 -- Initial publication


Web cache poisoning has long been considered a theoretical threat. However, already published research describes practical examples of this type of attack [1]. Also, recently there have been documented cases of observing exploitation of these types of vulnerabilities on production systems.

Technical Details

Caching improves web-page load times by reducing latency while also reducing the load on application server. It can be implemented at different levels: specific software, offered by content delivery networks (CDN), or built-in into web applications and frameworks. All of these are susceptible to cache poisoning.

Web cache poisoning is a specific type of a more generic family of cache poisoning vulnerabilities [2]. The impact of a maliciously constructed response from a webserver can be magnified if it is cached and served to multiple users. The published research [1] presents practical ways of cache poisoning by using unkeyed inputs. Unkeyed inputs are parts of a request that a cache does not use for mapping the caches.

Products Affected

Cache servers and services, web applications and frameworks.


  • Disable caching, if possible from operational point of view. In some cases caching is enabled by default – not necessarily needed for performance reasons.
  • If disabling the cache is not possible, restrict caching to purely static responses.
  • Audit every URL of an application with Param Miner to detect and disable unkeyed inputs. Param Miner is a Burp Suite extension used to detect unkeyed inputs [3].





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.