Back to All Scenarios
PASSEDcloud / cdn_cache_poisoning
CDN Cache Poisoning — Serving Malicious Content to Users
An attacker exploits an unkeyed header vulnerability to poison the CDN cache, causing all users requesting a specific page to receive a response containing injected malicious JavaScript. The poisoned cache entry has a 24-hour TTL and is replicated across all edge locations.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 20 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
CDN with 50+ edge locations. Web application vulnerable to unkeyed Host header injection. Attacker sends crafted request with malicious Host header. CDN caches the poisoned response. 24-hour TTL. All edge locations serving malicious content.
Injected Error Messages (2)
CDN cache integrity violation detected — cached response for /login page contains injected script tag pointing to external malicious domain, cache key: GET /login, cache age: 2 hours, TTL remaining: 22 hours, affected edge locations: all 50+ POPs, origin response does not contain the injected content indicating cache poisoning attack via unkeyed header manipulation, X-Forwarded-Host header used to inject malicious payload into cached HTML response
origin server security scan — origin response for /login is clean (no malicious content), but CDN-cached version contains injected JavaScript referencing evil-domain.com/steal.js, mismatch between origin and edge responses confirms cache poisoning, attack vector: Host header reflection vulnerability, all users receiving poisoned cached version, credential theft risk active
Neural Engine Root Cause Analysis
A cache poisoning attack has successfully compromised the CDN by exploiting unkeyed header manipulation via the X-Forwarded-Host header. The attacker injected malicious JavaScript into the cached /login page response, which is now being served to all users across 50+ POPs for the next 22 hours. The origin server is clean, confirming this is a CDN-layer vulnerability where the cache key doesn't include security-critical headers, allowing attackers to poison cached responses that affect all subsequent users.
Remediation Plan
1. IMMEDIATE: Purge all cached content for /login endpoint across all POPs to stop serving malicious content. 2. URGENT: Review and purge cache for all authentication-related endpoints (/login, /auth, /signin, etc.). 3. Configure CDN to include X-Forwarded-Host in cache key or strip/sanitize unkeyed headers. 4. Implement cache integrity validation and response sanitization. 5. Review CDN access logs to identify attack source and timeline. 6. Notify security team for incident response and user impact assessment. 7. Consider temporary bypass of CDN for critical authentication endpoints until security controls are in place.
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckd77b08mlobqeb4qxu6nr