New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web cache poisoning -- X-Forwarded-Scheme
vs X-Forwarded-Proto
#1809
Comments
Do you have any suggestions about how we can fix it? |
The obvious approach to "fixing it" would be respecting |
I think the long term answer is #1423, but that only helps when relevant upstreams have also adopted it. |
I was thinking about what an ideal solution is, unfortunately I suspect that any time you check multiple headers, the site This leads me to think that the best route is to decide what's more common, and drop support for the other. Possibly with a documented config/monkeypatch/etc to change the behavior. |
I also want to mention that there might be some issues regarding how we handle |
The Request.forwarded_priority accessor sets the priority. Default to considering Forwarded first, since it is now the official standard. Also allow configuring whether X-Forwarded-Proto or X-Forwarded-Scheme has priority, using the Request.x_forwarded_proto_priority accessor. Allowing configurable priorities for these headers is necessary, because which headers should be checked depends on the environment the application runs in. Make Request#forwarded_authority use the last forwarded authority instead of the first forwarded authority, since earlier forwarded authorities can be forged by the client. Fixes rack#1809 Fixes rack#1829 Implements rack#1423 Implements rack#1832
Hello! Any chance of a patch release containing this fix? I see it's planned for |
I think there is very little chance of backporting this change, it's way too disruptive for a tiny version change. It's not a bug fix, it's a completely new feature that may require configuration. |
Gotcha, thanks for the quick reply anyway! |
Hi! I believe there default rack behavior of
forwarded_scheme
creates a cache poisoning vulnerability in common configurations. This was initially disclosed almost a year ago in the blog post Cache Poisoning At Scale, and I am starting to see it used by pentesters. As I don't an issue or fix, I wanted to document it here.In short, many CDNs use
X-Forwarded-Proto
to convey the original request protocol. But, rack prefersX-Forwarded-Scheme
, this creates a simple opportunity for a cache poisoning attack.This is a bit hard to show, but if you assume the
rack
URL has a CDN in front of it:This is something I had to patch on our CDN, and it sounds like something many sites have had to patch as well. (The previously linked blog post lists several notable sites. Here is the hackerone discussion)
The text was updated successfully, but these errors were encountered: