An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
Description
Attack Execution Flow
3
1
Step 1
Explore[Identify and explore caches] Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.
Run tools that check available entries in the cache.
AI Translation
[Identifica ed esplora le cache] Utilizza strumenti per sniffare il traffico e scansionare una rete al fine di individuare la cache dell'applicazione (ad esempio, la cache di un browser web) o una cache pubblica (ad esempio, cache DNS o ARP) che potrebbe presentare vulnerabilità. Cerca punti di poisoning nelle voci della tabella della cache.
Esegui strumenti che verificano le voci disponibili nella cache.
Attack Techniques
-
Run tools that check available entries in the cache.
2
Step 2
Experiment[Cause specific data to be cached] An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
AI Translation
[Indurre il caching di dati specifici] Un attaccante invia richieste fasulle al bersaglio, quindi inonda di risposte che ingannano la cache facendole memorizzare risposte dannose, ovvero risposte errate alle query.
Intercettare o modificare una query, o inviare una query fasulla con credenziali note (come l’ID di transazione).
Attack Techniques
-
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
3
Step 3
Exploit[Redirect users to malicious website] As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).
Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
AI Translation
[Reindirizza gli utenti a un sito web dannoso] Man mano che l'attaccante riesce a sfruttare la vulnerabilità, è in grado di manipolare e inserire dati di risposta dannosi nelle query delle vittime mirate.
Intercettare o modificare una query, o inviare una query fasulla con credenziali note (come l'ID di transazione).
Gli attacchi Adversary-in-the-Middle (CAPEC-94) intercettano le comunicazioni sicure tra due parti.
Attack Techniques
-
Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.
-
Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).IT: Gli attacchi Adversary-in-the-Middle (CAPEC-94) intercettano le comunicazioni sicure tra due parti.
Mitigations
2
Configuration: Disable Client Side Caching.
Implementation: Listens For Query Replies On A Network, And Sends A Notification Via Email When An Entry Changes.
Consequences
Consequence Information
{'impacts': [], 'impacts_translate': [], 'scopes': [], 'scopes_translate': []}
Relationships
Parent CAPECs
Child CAPECs
Related ATT&CK Techniques
1
T1557.002
ARP Cache Poisoning
Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. …