Dark Mode

Settings

Capec-141 Detail

Cache Poisoning

Standard Software Likelihood: High Typical Severity: High

Parents: 161

Children: 142

Threats: T46 T68 T274 T297 T339 T382 T393

Tools: 12 13

Description

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

Not present

External ID Source Link Description
CAPEC-141 capec https://capec.mitre.org/data/definitions/141.html
CWE-348 cwe http://cwe.mitre.org/data/definitions/348.html
CWE-345 cwe http://cwe.mitre.org/data/definitions/345.html
CWE-349 cwe http://cwe.mitre.org/data/definitions/349.html
CWE-346 cwe http://cwe.mitre.org/data/definitions/346.html
T1557.002 ATTACK https://attack.mitre.org/wiki/Technique/T1557/002 Adversary-in-the-Middle: ARP Cache Poisoning
OWASP Attacks https://owasp.org/www-community/attacks/Cache_Poisoning Cache Poisoning
REF-22 reference_from_CAPEC http://en.wikipedia.org/wiki/DNS_cache_poisoning Wikipedia, The Wikimedia Foundation, Inc
REF-23 reference_from_CAPEC http://www.dnssec.net/dns-threats.php DNS Threats and DNS Weaknesses, DNSSEC
REF-24 reference_from_CAPEC http://en.wikipedia.org/wiki/ARP_spoofing Wikipedia, The Wikimedia Foundation, Inc
REF-599 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
Explore

  1. Identify and explore caches: Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.

    2. Techniques
    Run tools that check available entries in the cache.
Experiment

  1. Cause specific data to be cached: An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
Exploit

  1. Redirect users to malicious website: As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.

    2. Techniques
    Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
    Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
  1. The attacker must be able to modify the value stored in a cache to match a desired value.
  2. The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.

Not present

Medium
To overwrite/modify targeted cache

Not present

  1. In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7. Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.

We use cookies to ensure you get the best experience on our website.