Medium Vulnerability Description
Page caching by the web browser is not disabled in many HTML pages throughout the application.
Impact
This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out.
Verification and Attack Information
Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below.
Recommendation
Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are:
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
References
https://www.owasp.org/index.php/Category:WASS_Page_Caching
| Field | Original Value | New Value |
|---|---|---|
| Rank | Ranked higher |
| Assignee | Niteen Surwase [ niteen.surwase ] |
| Status | New Request [ 10029 ] | Pending for Approval [ 10002 ] |
| Status | Pending for Approval [ 10002 ] | Approved for Development [ 10003 ] |
| Status | Approved for Development [ 10003 ] | In Development [ 10007 ] |
| Component/s | BenAdmin [ 10100 ] |
| Labels | Low Risk Security |
| Description |
*Vulnerability Description* Page caching by the web browser is not disabled in many HTML pages throughout the application. *Impact* This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out. *Verification and Attack Information* Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below. *Recommendation* Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are: Cache-Control: no-cache Pragma: no-cache Expires: -1 |
*Vulnerability Description* Page caching by the web browser is not disabled in many HTML pages throughout the application. *Impact* This vulnerability could allow sensitive application information to be recovered in clear-text from a browser’s cache in situations where a user logs in to the site via a shared computer (e.g., in a public library, a public Internet kiosk, etc.) or if a malicious user gained local access to a legitimate user’s workstation. Other information disclosures may also result from this condition. In some cases, after a user logs out of the application, a malicious user with local access to the victim’s workstation can press the browser’s “back” button in order to view the last page accessed by the user prior to logging out. *Verification and Attack Information* Praetorian identified this issue by observing Cache-Control headers sent in server responses and by manually viewing contents of the client’s local cache directory. Example evidence is shown below. *Recommendation* Set page-caching directives using three HTTP 1.0/1.1 headers for all pages containing sensitive or volatile data. The headers are: Cache-Control: no-cache Pragma: no-cache Expires: -1 *References* https://www.owasp.org/index.php/Category:WASS_Page_Caching |
| Assignee | Niteen Surwase [ niteen.surwase ] | Amit Gude [ amitg ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Assignee | Amit Gude [ amitg ] | Zeeshan Chishty [ zeeshan.chishty ] |
Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Reopen in Local [ 10018 ] |
| Status | Reopen in Local [ 10018 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
| Attachment | List of Cache Imapached pages.xls [ 17001 ] |
| Attachment | Cache-Control-ed Modules.xls [ 17306 ] |
| Attachment | List of Cache Imapached pages.xls [ 17001 ] |
| Issue Importance | Must Have [ 11800 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Niteen Surwase [ niteen.surwase ] |
| Assignee | Niteen Surwase [ niteen.surwase ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Status | Local Testing [ 10200 ] | Reopen in Local [ 10018 ] |
| Status | Reopen in Local [ 10018 ] | In Development [ 10007 ] |
| Status | In Development [ 10007 ] | Local Testing [ 10200 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] |
Zeeshan Chishty (Inactive)
made changes -
| Status | Local Testing [ 10200 ] | Pending for Stage Approval [ 10300 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Vijayendra Shinde [ ID10506 ] |
| Item State | Parent values: Development(10200)Level 1 values: In Progress(10206) | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) |
| Item State | Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) |
| Status | Pending for Stage Approval [ 10300 ] | Approved for Stage [ 10030 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
Zeeshan Chishty (Inactive)
made changes -
| Status | Approved for Stage [ 10030 ] | Stage Testing [ 10201 ] |
Zeeshan Chishty (Inactive)
made changes -
| Item State | Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) |
Zeeshan Chishty (Inactive)
made changes -
| Status | Stage Testing [ 10201 ] | Pending for Production Approval [ 10301 ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Vijayendra Shinde [ ID10506 ] |
| Status | Pending for Production Approval [ 10301 ] | Approved for production [ 10034 ] |
| Assignee | Vijayendra Shinde [ ID10506 ] | Zeeshan Chishty [ zeeshan.chishty ] |
| Item State | Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) |
| Developer | Niteen Surwase [ niteen.surwase ] |
Zeeshan Chishty (Inactive)
made changes -
| Assignee | Zeeshan Chishty [ zeeshan.chishty ] | Deepali Tidke [ deepalit ] |
| Item State | Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) | Parent values: Production Complete(10222) |
| Status | Approved for production [ 10034 ] | Production Testing [ 10202 ] |
| Resolution | Fixed [ 1 ] | |
| Status | Production Testing [ 10202 ] | Production Complete [ 10028 ] |
| Status | Production Complete [ 10028 ] | Closed [ 6 ] |