HIGH cache poisoningfastapi

Cache Poisoning in Fastapi

Scan for cache poisoning in fastapi

How Cache Poisoning Manifests in Fastapi

Cache poisoning in Fastapi applications occurs when untrusted user input influences cached responses, causing subsequent users to receive manipulated or incorrect data. Fastapi's async nature and integration with caching backends like Redis or in-memory caches creates specific attack vectors that differ from traditional web frameworks.

The most common Fastapi cache poisoning scenario involves query parameters and path parameters being used as cache keys without proper validation. Consider this vulnerable endpoint:

from fastapi import FastAPI
from fastapi.responses import JSONResponse
import redis

app = FastAPI()
redis_client = redis.Redis(host='redis', port=6379, db=0)

@app.get("/api/users/{user_id}")
async def get_user(user_id: str):
    cache_key = f"user:{user_id}"
    cached = redis_client.get(cache_key)
    if cached:
        return JSONResponse(content=cached)
    
    # Simulate database query
    user_data = await get_user_from_db(user_id)
    redis_client.set(cache_key, user_data)
    return JSONResponse(content=user_data)

An attacker can craft malicious user_id values like ../../../../etc/passwd or SQL injection payloads. If the application doesn't properly sanitize these inputs before using them as cache keys, the attacker's response gets cached and served to other users.

Fastapi's dependency injection system creates another attack surface. When dependencies are cached without considering their state or authentication context:

@app.get("/api/data")
async def get_sensitive_data(
    db: Database = Depends(get_database)
):
    # Database connection cached without auth context
    return await db.query("SELECT * FROM sensitive_data")

If the database dependency is cached per request rather than per authenticated user, one user's query results could be served to another user.

Header-based cache poisoning is particularly problematic in Fastapi. Attackers can manipulate cache keys through custom headers:

@app.get("/api/cache-me")
async def cache_with_headers(
    x_user_id: str = Header(...),
    x_session: str = Header(...)
):
    cache_key = f"data:{x_user_id}:{x_session}"
    # No validation of header values
    return await expensive_operation()

Malicious headers like X-User-Id: admin or X-Session: .. can poison the cache with privileged responses.

Fastapi-Specific Detection

Detecting cache poisoning in Fastapi requires examining both the application code and runtime behavior. middleBrick's black-box scanning approach is particularly effective because it tests the actual attack surface without requiring source code access.

middleBrick scans Fastapi endpoints for cache poisoning by testing parameter manipulation patterns. The scanner attempts to inject special characters, path traversal sequences, and SQL-like syntax into path parameters and query strings, then verifies if these manipulated responses get cached and served to other users.

For Fastapi applications using Redis or similar backends, middleBrick can detect improper cache key construction by:

  1. Analyzing the OpenAPI specification to understand parameter types and expected formats
  2. Crafting boundary case inputs that would create predictable cache key collisions
  3. Verifying if manipulated responses are served from cache to subsequent requests
  4. Checking for missing input validation on parameters used in cache keys

The scanner also examines Fastapi's dependency injection patterns. It looks for dependencies that might be cached without proper context isolation, particularly database connections and authentication services.

middleBrick's LLM security module adds another layer of detection for Fastapi applications using AI features. It tests for system prompt leakage and prompt injection that could manipulate cached AI responses, a growing concern as Fastapi becomes popular for AI API development.

Runtime monitoring with middleBrick provides continuous detection by scanning your Fastapi APIs on a configurable schedule. The Pro plan's continuous monitoring can alert you when new cache poisoning vulnerabilities are introduced through code changes.

Fastapi-Specific Remediation

Fastapi provides several native features to prevent cache poisoning. The most effective approach combines input validation, proper cache key construction, and context-aware caching.

First, always validate and sanitize parameters before using them in cache keys:

from fastapi import HTTPException
from pydantic import BaseModel, Field
from fastapi_cache import FastAPICache
from fastapi_cache.backends.redis import RedisBackend

class UserID(BaseModel):
    user_id: str = Field(..., regex=r'^[a-zA-Z0-9_-]{3,20}$')

@app.get("/api/users/{user_id}")
async def get_user(user_id: str = Path(..., regex=r'^[a-zA-Z0-9_-]{3,20}$')):
    # Validate input before cache operations
    if not re.match(r'^[a-zA-Z0-9_-]{3,20}$', user_id):
        raise HTTPException(status_code=400, detail="Invalid user ID format")
    
    cache_key = f"user:{user_id}"
    cached = await FastAPICache.get(cache_key)
    if cached:
        return cached
    
    user_data = await get_user_from_db(user_id)
    await FastAPICache.set(cache_key, user_data, expire=3600)
    return user_data

The regex validation ensures only alphanumeric user IDs with specific characters are accepted, preventing path traversal and injection attacks.

For dependency injection, use Fastapi's per-request scope to avoid caching across user contexts:

@app.get("/api/data")
async def get_sensitive_data(
    db: Database = Depends(get_database, scope="request")
):
    # Database connection created per request, not cached across users
    return await db.query("SELECT * FROM sensitive_data WHERE user_id = $1", user_id)

Fastapi's built-in dependency scopes prevent the caching issues that plague other frameworks.

For header-based caching, implement strict header validation and use Fastapi's Header validator:

from fastapi import Header, HTTPException

@app.get("/api/cache-me")
async def cache_with_headers(
    x_user_id: str = Header(..., regex=r'^[a-f0-9]{24}$'),
    x_session: str = Header(..., regex=r'^session_[a-zA-Z0-9]{16}$')
):
    if not validate_session(x_session):
        raise HTTPException(status_code=401, detail="Invalid session")
    
    cache_key = f"data:{x_user_id}:{x_session}"
    return await expensive_operation()

The regex patterns ensure headers contain only expected formats, blocking malicious input.

For applications using Fastapi's caching middleware, configure proper cache invalidation policies:

from fastapi_cache import FastAPICache
from fastapi import FastAPI

app = FastAPI()

@app.on_event("startup")
async def startup_event():
    await FastAPICache.init(
        RedisBackend(),
        prefix="ep"
    )

@app.middleware("http")
async def add_process_time_header(request: Request, call_next):
    response = await call_next(request)
    # Add cache control headers to prevent client-side poisoning
    response.headers["Cache-Control"] = "private, no-store"
    return response

These patterns, combined with middleBrick's scanning capabilities, provide comprehensive protection against Fastapi cache poisoning attacks.

Scan for cache poisoning in fastapi Free API security scan

Frequently Asked Questions

How does Fastapi's async nature affect cache poisoning vulnerabilities?
Fastapi's async/await model can actually help prevent some cache poisoning issues by naturally isolating request contexts. However, it also creates timing-based attack vectors where race conditions might allow one user's cached response to be served to another user if proper synchronization isn't implemented around cache operations.
Can middleBrick detect cache poisoning in Fastapi applications using Redis?
Yes, middleBrick's black-box scanning tests Fastapi endpoints with Redis backends by injecting malicious cache keys and verifying if manipulated responses get served to other users. The scanner examines the OpenAPI spec to understand parameter patterns and crafts targeted attacks to identify cache poisoning vulnerabilities.

Related Pages

Cache Poisoning in Fastapi on GcpLearn how cache poisoning affects Fastapi on GCP, and apply concrete GCP-aware fixes with code examples to secure cachinCache Poisoning in Fastapi on KubernetesCache poisoning in Fastapi on Kubernetes: causes and Kubernetes-aware fixes with code examples and how middleBrick detecCache Poisoning in Fastapi on NetlifyCache poisoning in Fastapi with Netlify: causes and Netlify-specific fixes including headers, Vary, and edge functions.Cache Poisoning in Fastapi on CloudflareCache poisoning in Fastapi behind Cloudflare: causes, risks, and hardening techniques with code examples.Owasp Api Top 10: Cache Poisoning in FastapiExplore cache poisoning in OWASP API Top 10 with FastAPI. Learn how caching misconfigurations expose APIs and apply concHipaa: Cache Poisoning in FastapiExplore HIPAA risks from cache poisoning in FastAPI: how vulnerabilities arise and concrete remediation with secure codeGdpr: Cache Poisoning in FastapiGDPR in FastAPI cache poisoning: risks and remediation with code examplesNist: Cache Poisoning in FastapiExplore NIST-aligned cache poisoning risks in FastAPI, with concrete code fixes and validation patterns to secure cache Cache Poisoning in Fastapi with Jwt TokensExplore how cache poisoning can occur in Fastapi when JWT tokens are not considered in cache keys, and implement JWT-awaCache Poisoning in Fastapi with Api KeysLearn how cache poisoning occurs in Fastapi when using API keys, and apply concrete remediation patterns with secure codCache Poisoning in Fastapi with Hmac SignaturesCache poisoning in FastAPI with HMAC signatures: causes and concrete fixes with code examples covering canonical string Cache Poisoning in Fastapi with Basic AuthCache poisoning in Fastapi with Basic Auth: risks, Vary headers, and remediation examples for securing authenticated end