Unauthenticated Cache Purge
It was possible to invoke cache purge on specific URLs.
- unauthenticated
- cache
- purge
- ddos
- dos
- denial of service
- billing
Cache PURGE is used to purge the web cache. It is possible to purge specific resources, or if no parameter is given, all cached content is purged.
Impact
Attackers can issue a PURGE request for any resource and invalidate the cache. This can lead to increased bandwidth costs and degraded application performance.
Solution
Disallow cache purge requests or limit to authenticated users only.
Was this page helpful?