[ST-118] Page Caching Not Disabled - Workterra Jira

Details

Type: Change Request
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
- Low
- Risk
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete
Issue Importance:
Must Have

Description

Vulnerability Description
Page caching by the web browser is not disabled in many HTML pages throughout the application.

Impact
This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

Verification and Attack Information
Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

Recommendation
Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: -1

References
https://www.owasp.org/index.php/Category:WASS_Page_Caching

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 25/May/16 07:05 AM

Verified as cache control header is specified with values no cache, no store and max age:0
Pragma:no cache
Expires:-1

Show

Zeeshan Chishty (Inactive) added a comment - 25/May/16 07:05 AM Verified as cache control header is specified with values no cache, no store and max age:0 Pragma:no cache Expires:-1

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 13/Jun/16 05:30 AM

Verified on stage as cache control header is specified with values no cache, no store and max age:0
Pragma:no cache
Expires:-1

Show

Zeeshan Chishty (Inactive) added a comment - 13/Jun/16 05:30 AM Verified on stage as cache control header is specified with values no cache, no store and max age:0 Pragma:no cache Expires:-1

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:21 AM

Confirmed on Production cache control headers are set to no chache, no store wherever necessary.

Show

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:21 AM Confirmed on Production cache control headers are set to no chache, no store wherever necessary.

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:22 AM

Rakesh Roy This should be verified for performance or any other functional issues.Please assign it if required

Show

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:22 AM Rakesh Roy This should be verified for performance or any other functional issues.Please assign it if required

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 28/Jun/16 09:22 AM

Checked mentioned pages on production except for On Board and Wellness module

Show

Deepali Tidke (Inactive) added a comment - 28/Jun/16 09:22 AM Checked mentioned pages on production except for On Board and Wellness module

People

Assignee:: Deepali Tidke (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Niteen Surwase (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Apr/16 06:19 AM

Updated:: 28/Jun/16 09:22 AM

Resolved:: 28/Jun/16 09:22 AM

Details

Description

Attachments

Attachments

Activity

People

Dates