[ST-118] Page Caching Not Disabled - Workterra Jira

Details

Type: Change Request
Status: Closed
Priority: Medium
Resolution: Done
Component/s: BenAdmin
Labels:
- Low
- Risk
- Security

Module:
BenAdmin - Security
Reported by:
Support
Item State:
Production Complete
Issue Importance:
Must Have

Description

Vulnerability Description
Page caching by the web browser is not disabled in many HTML pages throughout the application.

Impact
This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

Verification and Attack Information
Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

Recommendation
Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: -1

References
https://www.owasp.org/index.php/Category:WASS_Page_Caching

Vijayendra Shinde (Inactive) created issue - 12/Apr/16 06:19 AM

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:19 AM

Field	Original Value	New Value
Rank		Ranked higher

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:21 AM

Assignee

Niteen Surwase [ niteen.surwase ]

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:21 AM

Status

New Request [ 10029 ]

Pending for Approval [ 10002 ]

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:21 AM

Status

Pending for Approval [ 10002 ]

Approved for Development [ 10003 ]

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:21 AM

Status

Approved for Development [ 10003 ]

In Development [ 10007 ]

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:21 AM

Component/s

BenAdmin [ 10100 ]

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:22 AM

Labels

Low Risk Security

Vijayendra Shinde (Inactive) made changes - 12/Apr/16 06:23 AM

Description

*Vulnerability Description*
Page caching by the web browser is not disabled in many HTML pages throughout the application.

*Impact*
This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.

*Verification and Attack Information*
Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.

*Recommendation*
Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
 Cache-Control: no-cache
 Pragma: no-cache
 Expires: -1

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 15/Apr/16 06:03 AM - edited

Steps to Configure Server for Page Caching Parameters
1. Open IIS Manager and Select Project (Site).
2. Open "HTTP Response Header" and Click on "Add" button from Actions pane.
3. Add following Name and Value:
i. Cache-Control: no-cache
ii. Expires: -1
iii. Pragma: no-cache

Note : This will edit Web.Config file of Web Projects

Show

Niteen Surwase (Inactive) added a comment - 15/Apr/16 06:03 AM - edited Steps to Configure Server for Page Caching Parameters 1. Open IIS Manager and Select Project (Site). 2. Open "HTTP Response Header" and Click on "Add" button from Actions pane. 3. Add following Name and Value : i. Cache-Control : no-cache ii. Expires : -1 iii. Pragma : no-cache Note : This will edit Web.Config file of Web Projects

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 15/Apr/16 06:07 AM - edited

For Testing :
1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5)
2. Check Response Headers of all files --> Cache-Control, Pragma, Expires attributes are visible.

Show

Niteen Surwase (Inactive) added a comment - 15/Apr/16 06:07 AM - edited For Testing : 1. Open Login Page --> Inspect Element --> Network Tab --> Reload Page (Ctrl + F5) 2. Check Response Headers of all files --> Cache-Control, Pragma, Expires attributes are visible.

Niteen Surwase (Inactive) made changes - 15/Apr/16 06:07 AM

Assignee

Niteen Surwase [ niteen.surwase ]

Amit Gude [ amitg ]

Niteen Surwase (Inactive) made changes - 15/Apr/16 06:08 AM

Status

In Development [ 10007 ]

Local Testing [ 10200 ]

Hide

Permalink

Amit Gude (Inactive) added a comment - 20/Apr/16 09:04 AM

Assigning to Zeeshan

Show

Amit Gude (Inactive) added a comment - 20/Apr/16 09:04 AM Assigning to Zeeshan

Amit Gude (Inactive) made changes - 20/Apr/16 09:04 AM

Assignee

Amit Gude [ amitg ]

Zeeshan Chishty [ zeeshan.chishty ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 22/Apr/16 12:27 PM

Cache control header for all pages is set to either private,public nochace or combination of them
It is suggested to set cache control :nocache

Show

Zeeshan Chishty (Inactive) added a comment - 22/Apr/16 12:27 PM Cache control header for all pages is set to either private,public nochace or combination of them It is suggested to set cache control :nocache

Zeeshan Chishty (Inactive) made changes - 22/Apr/16 12:39 PM

Status

Local Testing [ 10200 ]

Reopen in Local [ 10018 ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 26/Apr/16 06:02 AM

For Sensitive data in pages we should implement
Cache-Control: no-cache, no-store, must-revalidate,
pre-check=0, post-check=0, max-age=0, s-maxage=0
Pragma:No cache
Expires:-1

Show

Zeeshan Chishty (Inactive) added a comment - 26/Apr/16 06:02 AM For Sensitive data in pages we should implement Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0, max-age=0, s-maxage=0 Pragma:No cache Expires:-1

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 29/Apr/16 01:04 PM

Affected Pages for Cache Control
SearchEmployeeController.cs 1 Response Changed
WTHomePageController.cs 21 Response Changed
EmployeeProfileController.cs 4 Response Change
EnrollmentSummaryController.cs 5 Response Change

Show

Niteen Surwase (Inactive) added a comment - 29/Apr/16 01:04 PM Affected Pages for Cache Control SearchEmployeeController.cs 1 Response Changed WTHomePageController.cs 21 Response Changed EmployeeProfileController.cs 4 Response Change EnrollmentSummaryController.cs 5 Response Change

Niteen Surwase (Inactive) made changes - 29/Apr/16 01:05 PM

Status

Reopen in Local [ 10018 ]

In Development [ 10007 ]

Niteen Surwase (Inactive) made changes - 29/Apr/16 01:05 PM

Status

In Development [ 10007 ]

Local Testing [ 10200 ]

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 29/Apr/16 01:08 PM - edited

Note :
pre-check=0, post-check=0 is not necessary if these parameters are 0. So, this parameters are not added
Following is added in above pages.
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, s-maxage=0

Show

Niteen Surwase (Inactive) added a comment - 29/Apr/16 01:08 PM - edited Note : pre-check=0, post-check=0 is not necessary if these parameters are 0. So, this parameters are not added Following is added in above pages. Cache-Control : no-cache, no-store, must-revalidate, max-age=0, s-maxage=0

Niteen Surwase (Inactive) made changes - 05/May/16 09:28 AM

Attachment

List of Cache Imapached pages.xls [ 17001 ]

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 05/May/16 09:29 AM

Please find the attachment for pages changed for Cache-Control Header

Show

Niteen Surwase (Inactive) added a comment - 05/May/16 09:29 AM Please find the attachment for pages changed for Cache-Control Header

Niteen Surwase (Inactive) made changes - 10/May/16 10:06 AM

Attachment

Cache-Control-ed Modules.xls [ 17306 ]

Hide

Permalink

Niteen Surwase (Inactive) added a comment - 10/May/16 10:07 AM

Page caching is enabled page wise.
Please check the attached excel-sheet for the pages affected:
Cache-Control-ed Modules.xls

Show

Niteen Surwase (Inactive) added a comment - 10/May/16 10:07 AM Page caching is enabled page wise. Please check the attached excel-sheet for the pages affected: Cache-Control-ed Modules.xls

Niteen Surwase (Inactive) made changes - 10/May/16 10:07 AM

Attachment

List of Cache Imapached pages.xls [ 17001 ]

Samir made changes - 13/May/16 07:40 AM

Issue Importance

Must Have [ 11800 ]

Zeeshan Chishty (Inactive) made changes - 19/May/16 10:11 AM

Assignee

Zeeshan Chishty [ zeeshan.chishty ]

Niteen Surwase [ niteen.surwase ]

Vijayendra Shinde (Inactive) made changes - 23/May/16 09:33 AM

Assignee

Niteen Surwase [ niteen.surwase ]

Zeeshan Chishty [ zeeshan.chishty ]

Vijayendra Shinde (Inactive) made changes - 23/May/16 09:33 AM

Status

Local Testing [ 10200 ]

Reopen in Local [ 10018 ]

Vijayendra Shinde (Inactive) made changes - 23/May/16 09:33 AM

Status

Reopen in Local [ 10018 ]

In Development [ 10007 ]

Vijayendra Shinde (Inactive) made changes - 23/May/16 09:33 AM

Status

In Development [ 10007 ]

Local Testing [ 10200 ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 25/May/16 07:05 AM

Verified as cache control header is specified with values no cache, no store and max age:0
Pragma:no cache
Expires:-1

Show

Zeeshan Chishty (Inactive) added a comment - 25/May/16 07:05 AM Verified as cache control header is specified with values no cache, no store and max age:0 Pragma:no cache Expires:-1

Zeeshan Chishty (Inactive) made changes - 25/May/16 07:05 AM

Assignee

Zeeshan Chishty [ zeeshan.chishty ]

Zeeshan Chishty (Inactive) made changes - 25/May/16 07:06 AM

Status

Local Testing [ 10200 ]

Pending for Stage Approval [ 10300 ]

Zeeshan Chishty (Inactive) made changes - 25/May/16 07:06 AM

Assignee

Vijayendra Shinde [ ID10506 ]

Vijayendra Shinde (Inactive) made changes - 31/May/16 05:54 AM

Item State

Parent values: Development(10200)Level 1 values: In Progress(10206)

Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)

Niteen Surwase (Inactive) made changes - 13/Jun/16 04:50 AM

Item State

Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)

Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)

Niteen Surwase (Inactive) made changes - 13/Jun/16 04:50 AM

Status

Pending for Stage Approval [ 10300 ]

Approved for Stage [ 10030 ]

Niteen Surwase (Inactive) made changes - 13/Jun/16 05:22 AM

Assignee

Vijayendra Shinde [ ID10506 ]

Zeeshan Chishty [ zeeshan.chishty ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 13/Jun/16 05:30 AM

Verified on stage as cache control header is specified with values no cache, no store and max age:0
Pragma:no cache
Expires:-1

Show

Zeeshan Chishty (Inactive) added a comment - 13/Jun/16 05:30 AM Verified on stage as cache control header is specified with values no cache, no store and max age:0 Pragma:no cache Expires:-1

Zeeshan Chishty (Inactive) made changes - 13/Jun/16 05:30 AM

Status

Approved for Stage [ 10030 ]

Stage Testing [ 10201 ]

Zeeshan Chishty (Inactive) made changes - 13/Jun/16 05:30 AM

Item State

Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)

Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)

Zeeshan Chishty (Inactive) made changes - 13/Jun/16 05:31 AM

Status

Stage Testing [ 10201 ]

Pending for Production Approval [ 10301 ]

Zeeshan Chishty (Inactive) made changes - 13/Jun/16 05:31 AM

Assignee

Zeeshan Chishty [ zeeshan.chishty ]

Vijayendra Shinde [ ID10506 ]

Niteen Surwase (Inactive) made changes - 14/Jun/16 12:21 PM

Status

Pending for Production Approval [ 10301 ]

Approved for production [ 10034 ]

Niteen Surwase (Inactive) made changes - 14/Jun/16 12:21 PM

Assignee

Vijayendra Shinde [ ID10506 ]

Zeeshan Chishty [ zeeshan.chishty ]

Niteen Surwase (Inactive) made changes - 14/Jun/16 12:21 PM

Item State

Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)

Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)

Niteen Surwase (Inactive) made changes - 14/Jun/16 12:22 PM

Developer

Niteen Surwase [ niteen.surwase ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:21 AM

Confirmed on Production cache control headers are set to no chache, no store wherever necessary.

Show

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:21 AM Confirmed on Production cache control headers are set to no chache, no store wherever necessary.

Zeeshan Chishty (Inactive) made changes - 28/Jun/16 04:21 AM

Assignee

Zeeshan Chishty [ zeeshan.chishty ]

Deepali Tidke [ deepalit ]

Hide

Permalink

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:22 AM

Rakesh Roy This should be verified for performance or any other functional issues.Please assign it if required

Show

Zeeshan Chishty (Inactive) added a comment - 28/Jun/16 04:22 AM Rakesh Roy This should be verified for performance or any other functional issues.Please assign it if required

Hide

Permalink

Deepali Tidke (Inactive) added a comment - 28/Jun/16 09:22 AM

Checked mentioned pages on production except for On Board and Wellness module

Show

Deepali Tidke (Inactive) added a comment - 28/Jun/16 09:22 AM Checked mentioned pages on production except for On Board and Wellness module

Deepali Tidke (Inactive) made changes - 28/Jun/16 09:22 AM

Item State

Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)

Parent values: Production Complete(10222)

Deepali Tidke (Inactive) made changes - 28/Jun/16 09:22 AM

Status

Approved for production [ 10034 ]

Production Testing [ 10202 ]

Deepali Tidke (Inactive) made changes - 28/Jun/16 09:22 AM

Resolution		Fixed [ 1 ]
Status	Production Testing [ 10202 ]	Production Complete [ 10028 ]

Deepali Tidke (Inactive) made changes - 28/Jun/16 09:22 AM

Status

Production Complete [ 10028 ]

Closed [ 6 ]

Transition	Time In Source Status	Execution Times

Vijayendra Shinde (Inactive) made transition - 12/Apr/16 06:21 AM

New Request

Pending for Approval

2m 33s

Vijayendra Shinde (Inactive) made transition - 12/Apr/16 06:21 AM

Pending for Approval

Approved for Development

Vijayendra Shinde (Inactive) made transition - 12/Apr/16 06:21 AM

Approved for Development

In Development

Vijayendra Shinde (Inactive) made transition - 23/May/16 09:33 AM

In LB Testing

Reopen in Local

31d 2h 59m

Vijayendra Shinde (Inactive) made transition - 23/May/16 09:33 AM

Reopen in Local

In Development

7d 26m

Vijayendra Shinde (Inactive) made transition - 23/May/16 09:33 AM

In Development

In LB Testing

2d 23h 46m

Zeeshan Chishty (Inactive) made transition - 25/May/16 07:06 AM

In LB Testing

Pending for Stage Approval

1d 21h 32m

Niteen Surwase (Inactive) made transition - 13/Jun/16 04:50 AM

Pending for Stage Approval

Approved for Stage

18d 21h 44m

Zeeshan Chishty (Inactive) made transition - 13/Jun/16 05:30 AM

Approved for Stage

Stage Testing

40m 31s

Zeeshan Chishty (Inactive) made transition - 13/Jun/16 05:31 AM

Stage Testing

Pending for Production Approval

16s

Niteen Surwase (Inactive) made transition - 14/Jun/16 12:21 PM

Pending for Production Approval

Approved for production

1d 6h 50m

Deepali Tidke (Inactive) made transition - 28/Jun/16 09:22 AM

Approved for production

In Production Testing

13d 21h 1m

Deepali Tidke (Inactive) made transition - 28/Jun/16 09:22 AM

In Production Testing

Production Complete

Deepali Tidke (Inactive) made transition - 28/Jun/16 09:22 AM

Production Complete

Closed

People

Assignee:: Deepali Tidke (Inactive)

Reporter:: Vijayendra Shinde (Inactive)

Developer:: Niteen Surwase (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 12/Apr/16 06:19 AM

Updated:: 28/Jun/16 09:22 AM

Resolved:: 28/Jun/16 09:22 AM

Details

Description

Attachments

Attachments

Activity

People

Dates