The cache poisoning attack is a sophisticated method used by hackers to manipulate data in a server's cache. This article discusses one of the most common cache poisoning attacks that exploit the HTTP X-Forwarded-Host header. This type of attack is particularly insidious because it can result in the display of harmful content to users, data manipulation, or theft of sensitive information.
The HTTP X-Forwarded-Host header is commonly used in network environments where a proxy server or load balancer is present. This header indicates the original host requested by the client. However, if an attacker manages to manipulate the X-Forwarded-Host header, they can direct the client's requests to a harmful host. This can lead to a series of security problems, such as the disclosure of confidential information and data manipulation.
A cache poisoning attack via the setting of X-Forwarded-Host occurs when an attacker sends an HTTP request with a manipulated X-Forwarded-Host header. If the server accepts this request and stores it in its cache, all subsequent requests for that resource will be directed to the harmful host specified in the X-Forwarded-Host header. This can lead to a wide range of attacks, including identity theft, data manipulation, and the spread of malware.
Turns out Ruby on Rails until version 6 is indeed vulnerable to those kind of attacks: The X-Forwarded-Host HTTP header is always trusted and is used in url_for · Issue #29893 · rails/rails (github.com)
So beware and always filter the hosts you going to receive via X-Forwarded-Host, if those are even needed. Otherwise do yourself a favour and delete the header before addressing each request.