Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-118

Page Caching Not Disabled

    Details

    • Type: Change Request
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      Production Complete
    • Issue Importance:
      Must Have

      Description

      Vulnerability Description
      Page caching by the web browser is not disabled in many HTML pages throughout the application.

      Impact
      This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

      Verification and Attack Information
      Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

      Recommendation
      Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
       Cache-Control: no-cache
       Pragma: no-cache
       Expires: -1

      References
      https://www.owasp.org/index.php/Category:WASS_Page_Caching

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Rank Ranked higher
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Component/s BenAdmin [ 10100 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Labels Low Risk Security
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Description *Vulnerability Description*
          Page caching by the web browser is not disabled in many HTML pages throughout the application.

          *Impact*
          This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

          *Verification and Attack Information*
          Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

          *Recommendation*
          Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
           Cache-Control: no-cache
           Pragma: no-cache
           Expires: -1           		*Vulnerability Description*
          Page caching by the web browser is not disabled in many HTML pages throughout the application.

          *Impact*
          This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

          *Verification and Attack Information*
          Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

          *Recommendation*
          Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
           Cache-Control: no-cache
           Pragma: no-cache
           Expires: -1

          *References*
          https://www.owasp.org/index.php/Category:WASS_Page_Caching
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Amit Gude [ amitg ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          amitg Amit Gude (Inactive) made changes -
          Assignee Amit Gude [ amitg ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Reopen in Local [ 10018 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Reopen in Local [ 10018 ] In Development [ 10007 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Attachment List of Cache Imapached pages.xls [ 17001 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Attachment Cache-Control-ed Modules.xls [ 17306 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Attachment List of Cache Imapached pages.xls [ 17001 ]
          samir Samir made changes -
          Issue Importance Must Have [ 11800 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Niteen Surwase [ niteen.surwase ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Niteen Surwase [ niteen.surwase ] Zeeshan Chishty [ zeeshan.chishty ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Local Testing [ 10200 ] Reopen in Local [ 10018 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Reopen in Local [ 10018 ] In Development [ 10007 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Progress(10206) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Vijayendra Shinde [ ID10506 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Assignee Vijayendra Shinde [ ID10506 ] Zeeshan Chishty [ zeeshan.chishty ]
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          niteen.surwase Niteen Surwase (Inactive) made changes -
          Developer Niteen Surwase [ niteen.surwase ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Deepali Tidke [ deepalit ]
          deepalit Deepali Tidke (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)
          deepalit Deepali Tidke (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Resolution Fixed [ 1 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          deepalit Deepali Tidke (Inactive) made changes -
          Status Production Complete [ 10028 ] Closed [ 6 ]

            People

            Assignee:
            deepalit Deepali Tidke (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Niteen Surwase (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: