Prevent cache poisoning
This topic discusses how to prevent cache poisoning if you use the Microsoft Internet Information Server (IIS) web server. Cache poisoning is a method of changing cache contents to include different pages from the same site. For example, it is possible to inject an HTTP 404 (Not Found) error page in place of some benign page (for example, the storefront home page), which can lead to a potential denial-of-service (DoS). The malicious page URLs are cached by Varnish or Redis, hence the name page cache poisoning.
These types of attacks can be difficult to detect because they do not result in errors in web server logs.
This solution applies to the following Commerce versions:
- 2.0.10 and later
- 2.1.2 and later
Description
The issue results if URL rewrites are enabled on the IIS server, and any of the following HTTP headers are altered before the request reaches the Varnish or Redis caching service:
X-Rewrite-Url
X-Original-Url
IIS-wasurlrewritten
Unencoded-URL
Orig-path-info
If these headers are changed, the resulting URL and content are cached, resulting in potential vulnerabilities.
Solution
We provide the option to remove the values of all of the preceding headers based on the IIS server setting for Enable_IIS_Rewrites
.
- If
Enable_IIS_Rewrites
is set to0
, the values of the headers are removed. - If
Enable_IIS_Rewrites
is set to1
, the values of the headers are left intact.
Enable_IIS_Rewrites
to 1
, you must not allow the values of the preceding headers to be altered before the request reaches the IIS web server.