Medium Vulnerability Description
Page caching by the web browser is not disabled in many HTML pages throughout the application.
Impact
This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.
Verification and Attack Information
Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.
Recommendation
Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
References
https://www.owasp.org/index.php/Category:WASS_Page_Caching