wstg icon indicating copy to clipboard operation
wstg copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Possible error in 4.4.6 Testing for Browser Cache Weaknesses

Open aBUDmdBQ opened this issue 1 year ago • 6 comments

What's the issue? In 4.4.6 Testing for Browser Cache Weaknesses in the paragraph Browser History it says: "The Back button can be stopped from showing sensitive data. This can be done by:

Delivering the page over HTTPS.
Setting Cache-Control: must-revalidate

" In a recent penetration test I had the issue that by using the back button after logging out I could retrieve the information previously shown again. I then modified the headers in the response to see if the advise from above works. At least in Firefox it did not, for other browsers I did not test it. After setting Cache-Control: must-revalidate the information could still be retrieved in the described way.

How do we solve it? According to https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers the correct setting for the headers are:

Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0

At least in my tests I could confirm that these headers resolved the issue.

Would you like to be assigned to this issue? Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

  • [ ] Assign me, please!

aBUDmdBQ avatar Jul 03 '23 07:07 aBUDmdBQ

@kingthorin what do you think? That section below it, about the browser cache mentions those 3 headers.

Testing between cache and history is a slightly tricky game, should we partially merge the section and recommendations?

ThunderSon avatar Aug 20 '23 16:08 ThunderSon

Hey @aBUDmdBQ how can i help and contribute to resolve this issue?

please let me know and thanks

mademarc avatar Sep 16 '23 00:09 mademarc

The best first step would be to read the comments here and see if you agree with @ThunderSon's suggestion (he's one of the project leads 😉).

kingthorin avatar Sep 16 '23 01:09 kingthorin

Hey @kingthorin Yes i have read the CONTRIBUTING.md and Yeah i also agree with @ThunderSon as i have some points to help out, should i post them here on the comment section?

mademarc avatar Sep 16 '23 02:09 mademarc

Here is good, then everyone can collaborate and land in the right place/plan.

kingthorin avatar Sep 16 '23 03:09 kingthorin

Hey you all, first I want to thank you for your comments. In the section about the browser cache mentioned by @ThunderSon the must-revalidate is missing, so it is not exactly the same as in my post. From my understanding of the directives the setting no-cache, no-store, must-revalidate also seems a bit paradoxic. According to [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control] no-cache means the response can be cached but before serving it the server needs to be contacted. no-store means the response must not be cached at all. From my understanding it should be sufficient to set Cache-Control: no-store to disable the caching completely. As far as I know the Expires Header also should not be necessary if using no-store. In the case of older clients that do not support no-store you could also use max-age in the Cache-Control-Header. The Pragma Header is for legacy clients as far as I know. So as a minimum I would recommend the headers: Cache-Control: no-store Pragma: no-cache

Right now I do not have the opportunity to test this. But if I get to test it soon, I will add my findings here.

aBUDmdBQ avatar Oct 02 '23 13:10 aBUDmdBQ