that is being blocked by an error page, the web page or web service
can be disabled piecemeal (see Figure 6 in Appendix A).
According to our experiments 11% of the DoD web sites, 30% of
the Alexa Top 500 websites and 16% of the URLs in the analyzed
HTTP Archive data set are potentially vulnerable to CPDoS attacks.
These cached contents include also mission-critical rmware and
update les. Considering the fact that modern distributed appli-
cations often follow the Mircoservices [
29
] and Service-Oriented
Architecture (SOA) [
10
] design principles where services are imple-
mented with dierent programming languages and are operated by
distinct entities, more semantic gap vulnerabilities may appear in
the future. Hence, a more in-depth understanding of such vulnera-
bilities needs to be gathered in order to develop robust safeguards
that do not depend on particular implementation and concatenation
of system layers.
ACKNOWLEDGMENT
First of all, we would like to thank all reviewers for their thoughtful
remarks and comments. Moreover, we would especially like to thank
Shuo Chen and James Kettle for their feedback and suggestions.
Finally, we appreciated the disclosure processes with the AWS-
Security team, the Microsoft Security Response Center and the Play
Framework development team.
This work has been funded by the German Federal Ministry of
Education and Research within the funding program "Forschung
an Fachhochschulen" (contract no. 13FH016IX6).
REFERENCES
[1]
Amazon. 2019. How CloudFront Processes and Caches HTTP 4xx and 5xx Status
Codes from Your Origin. https://docs.aws.amazon.com/AmazonCloudFront/
latest/DeveloperGuide/HTTPStatusCodes.html
[2]
Apache HTTP Server Project. 2019. Security Tips. https://httpd.apache.org/
docs/trunk/misc/security_tips.html
[3]
G. Barish and K. Obraczke. 2000. World Wide Web caching: trends and techniques.
IEEE Communications Magazine 38, 5 (2000), 178–184. https://doi.org/10.1109/
35.841844
[4]
M. Belshe, R. Peon, and M. Thomson. 2015. Hypertext Transfer Protocol Version 2
(HTTP/2). RFC 7540. IETF. https://tools.ietf.org/html/rfc7540
[5]
T. Bray. 2016. An HTTP Status Code to Report Legal Obstacles. RFC 7725. IETF.
https://tools.ietf.org/html/rfc7725
[6]
A. Chatiron. 2019. Dene allowed methods used in ’X-HTTP-Method-Override’.
https://github.com/playframework/play1/issues/1300
[7]
J. Chen, J. Jiang, H. Duan, N. Weaver, T. Wan, and V. Paxson. 2016. Host of
Troubles: Multiple Host Ambiguities in HTTP Implementations. In 23th ACM
SIGSAC Conference on Computer and Communications Security (CCS). https:
//doi.org/10.1145/2976749.2978394
[8]
G. Clemm and J. Whitehead J. Crawford, J. Reschke. 2010. Binding Extensions
to Web Distributed Authoring and Versioning (WebDAV). RFC 5842. IETF. https:
//tools.ietf.org/html/rfc5842
[9]
L. Dusseault. 2007. HTTP Extensions for Web Distributed Authoring and Versioning
(WebDAV). RFC 4918. IETF. https://tools.ietf.org/html/rfc4918
[10] T. Erl. 2007. SOA Principles of Service Design. Prentice Hall PTR.
[11]
R. Fielding, M. Nottingham, and J. Reschke. 2014. Hypertext Transfer Protocol
(HTTP/1.1): Caching. RFC 7234. IETF. https://tools.ietf.org/html/rfc7234
[12]
R. Fielding and J. Reschke. 2014. Hypertext Transfer Protocol (HTTP/1.1): Message
Syntax and Routing. RFC 7230. IETF. https://tools.ietf.org/html/rfc7230
[13]
R. Fielding and J. Reschke. 2014. Hypertext Transfer Protocol (HTTP/1.1): Semantics
and Content. RFC 7231. IETF. https://tools.ietf.org/html/rfc7231
[14]
Flask. 2010. Adding HTTP Method Overrides. http://ask.pocoo.org/docs/1.0/
patterns/methodoverrides/
[15]
O. Gil. 2017. WEB CACHE DECEPTION ATTACK. In Blackhat USA. https:
//blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html
[16]
K. Holtman and A. Mutz. 1998. Transparent Content Negotiation in HTTP. RFC
2295. IETF. https://tools.ietf.org/html/rfc2295
[17]
IEEE Spectrum. 2018. Interactive: The Top Programming Languages 2018. https:
//spectrum.ieee.org/static/interactive-the-top-programming-languages-2018
[18]
Suman Jana and Vitaly Shmatikov. 2012. Abusing File Processing in Malware
Detectors for Fun and Prot. In 33rd IEEE Symposium on Security and Privacy.
80–94. https://doi.org/10.1109/SP.2012.15
[19]
Y. Jia, Y. Chen, X. Dong, P. Saxena, J. Mao, and Z. Liang. 2015. Man-in-the-
browser-cache. Computers and Security 55, C (2015), 62–80. https://doi.org/10.
1016/j.cose.2015.07.004
[20]
J. Kettle. 2018. Bypassing Web Cache Poisoning Countermeasures. https:
//portswigger.net/blog/practical-web-cache-poisoning
[21]
J. Kettle. 2018. Denial of service via cache poisoning . https://hackerone.com/
reports/409370
[22]
J. Kettle. 2018. Practical Web Cache Poisoning. In Blackhat USA. https:
//portswigger.net/blog/practical-web-cache-poisoning
[23]
A. Klein. 2004. Divide and Conquer - HTTP Response Splitting, Web Cache
Poisoning Attacks, and Related Topics. White Paper. Sanctum, Inc. https:
//dl.packetstormsecurity.net/papers/general/whitepaper_httpresponse.pdf
[24]
C. Linhart, A. Klein, R. Heled, and S. Orrin. 2005. HTTP REQUEST SMUGGLING.
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
[25]
L. Masinter. 1998. Hyper Text Coee Pot Control Protocol (HTCPCP/1.0). RFC 2324.
IETF. https://tools.ietf.org/html/rfc2324
[26]
NATIONAL VULNERABILITY DATABASE. 2010. CVE-2010-2730 Detail. CVE
2010-2730. Nist. https://nvd.nist.gov/vuln/detail/CVE-2010-2730
[27]
NATIONAL VULNERABILITY DATABASE. 2019. CVE-2019-0941 Detail. CVE
2019-0941. Nist. https://nvd.nist.gov/vuln/detail/CVE-2019-0941
[28]
Netcraft. 2019. January 2019 Web Server Survey. https://news.netcraft.com/
archives/2019/01/24/january-2019-web-server-survey.html
[29]
S. Newman. 2015. Building microservices: designing ne-grained systems. O’Reilly.
[30]
H. V. Nguyen, L. Lo Iacono, and H. Federrath. 2018. Systematic Analysis of Web
Browser Caches. In 2nd International Conference on Web Studies (WS). https:
//doi.org/10.1145/3240431.3240443
[31]
H. V. Nguyen, L. Lo Iacono, and H. Federrath. 2019. Mind the Cache: Large-Scale
Analysis of Web Caching. In 34rd ACM/SIGAPP Symposium on Applied Computing
(SAC). https://doi.org/10.1145/3297280.3297526
[32]
H. Nielsen and S. Lawrence. 2000. An HTTP Extension Framework. RFC 2774.
IETF. https://tools.ietf.org/html/rfc2774
[33] M. Nottingham. 2019. HTTP Caching Tests. https://cache-tests.fyi/
[34]
M. Nottingham and R. Fielding. 2012. Additional HTTP Status Codes. RFC 6585.
IETF. https://tools.ietf.org/html/rfc6585
[35]
OWASP. 2017. Denial of Service Cheat Sheet. https://www.owasp.org/index.
php/Denial_of_Service_Cheat_Sheet#Mitigation_3:_Limit_length_and_size
[36] L. Richardson and S. Ruby. 2008. RESTful web services. O’Reilly Media, Inc.
[37]
J. Somorovsky, M. Heiderich, M. Jensen, J. Schwenk, N. Gruschka, and L. Lo Iacono.
2011. All Your Clouds Are Belong to Us: Security Analysis of Cloud Management
Interfaces. In 3rd ACM Workshop on Cloud Computing Security Workshop. ACM,
New York, NY, USA, 3–14. https://doi.org/10.1145/2046660.2046664 http://doi.
acm.org/10.1145/2046660.2046664.
[38]
C.-A. Staicu and M.l Pradel. 2018. Freezing the Web: A Study of ReDoS Vulnera-
bilities in Javascript-based Web Servers. In 27th USENIX Conference on Security
Symposium (USENIX Security). USENIX Association, Berkeley, CA, USA, 361–376.
http://dl.acm.org/citation.cfm?id=3277203.3277231
[39]
S. Triukosea, Z. Al-Qudad, and M. Rabinovich. 2009. Content Delivery Networks:
Protection or Threat?. In 14th European Symposium on Research in Computer
Security (ESORICS). https://doi.org/10.1007/978-3-642-04444-1_23
14