Vulnerability Category: A6-Security Misconfiguration
Vulnerability Description: Browsers can store information for purposes of caching and history. Caching is used to improve performance, so that previously displayed information doesn’t need to be downloaded again. History mechanisms are used for user convenience, so the user can see exactly what they saw at the time when the resource was retrieved. If sensitive information is displayed to the user (such as their address, credit card details, Social Security Number, or username), then this information could be stored for purposes of caching or history, and therefore retrievable through examining the browser’s cache or by simply pressing the browser’s “Back” button.
Impact: An attacker with local access to a user’s web browser may be able to retrieve cached copies of resources that the user previously accessed, exposing any stored sensitive data.
Recommendation: The web server should be configured to set cache behavior on all pages. To prevent a page from being cached, the Cache-Control directive must be set to no-store. This is the most secure of the cache-control directives. It instructs the browser not to cache the page and not store the page in its cache folder. This directive should be used for all sensitive pages. With this set, the application will have the greatest control possible over how its pages will be cached. Other directives, such as Pragma: no-cache and Expires HTTP headers should be set as well (Note: these headers do not guarantee that a browser will not store the data in its cache folder, but are honored in certain browsers).
Note: The (misleadingly named) “no-cache” directive instructs the browser to revalidate with the server before serving the page from the cache. The browser may still store the page in its cache. In addition, some modern browsers have been modified to implement the “no-cache” directive like the “no-store” directive. To be on the safer side, developers can use both “no-cache” and “no-store” when serving sensitive pages.
Severity : Low
CVSS v3.0 Score: 3.7
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
How to Test:
1) Intercept the application using Burpsuite , observer the response headers whether cache-control option is in place or not
2) Login to the application and browse some sensitive pages and logout from the application and click on the back button of the browser to check the for the sensitive pages can be retrieved through browser cache
Tools to Use:
1) Browser
2) Burp Suite
Note: Please i am newbie in this field , If i do mistakes in my posts please notify me I will rectify and learn more about it
