Cache poisoning is an attack that corrupts the data stored in a cache to redirect users to malicious content or disrupt service availability. The most common forms are DNS cache poisoning, which inserts false DNS records to redirect domain lookups, and web cache poisoning, which injects malicious content into CDN or proxy caches. The poisoned cache then serves the attacker's content to all users who request the affected resource.
In DNS cache poisoning, the attacker sends forged DNS responses to a recursive resolver, attempting to match the transaction ID and source port of a pending legitimate query. If successful, the resolver caches the false record, directing all subsequent lookups for that domain to the attacker's IP address. The Kaminsky attack demonstrated that this could be done reliably by flooding the resolver with spoofed responses. In web cache poisoning, the attacker identifies unkeyed input parameters such as HTTP headers that affect the response but are not included in the cache key. By sending requests with malicious header values that trigger different server behavior, the attacker causes the cache to store a poisoned response. Subsequent users requesting the same URL receive the attacker's modified content, which may include injected JavaScript, redirects, or defaced pages.
Cache poisoning can affect thousands or millions of users through a single successful attack because cached content is served to all requestors. DNS cache poisoning can redirect banking, email, and corporate traffic to attacker-controlled servers for credential harvesting. Web cache poisoning can inject persistent XSS into high-traffic websites. Mitigations include deploying DNSSEC for DNS integrity, randomizing source ports and transaction IDs, auditing web cache key configurations, and ensuring all user-controllable inputs are included in cache keys or stripped from processing.