Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anti-Caching Controls Missing on 13 pages #296

Open
sourabhkatti opened this issue Jul 11, 2018 · 0 comments
Open

Anti-Caching Controls Missing on 13 pages #296

sourabhkatti opened this issue Jul 11, 2018 · 0 comments

Comments

@sourabhkatti
Copy link
Owner

Trace UUID: 7GSE-VCK3-POJN-XIPB

https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/f7ea7169-d4eb-42c4-b32e-5c0ea0ca9733/vulns/7GSE-VCK3-POJN-XIPB/overview

Description

We observed 14 pages which had the following insufficient cache control configurations:

/WebGoat/HttpBasics.lesson.lesson

/WebGoat/service/labels.mvc

/WebGoat/service/lessonmenu.mvc

/WebGoat/service/debug/labels.mvc

/WebGoat/js/goatApp/templates/lesson_overview.html

/WebGoat/service/cookie.mvc

/WebGoat/service/source.mvc

/WebGoat/login

/WebGoat/service/lessonprogress.mvc

/WebGoat/service/lessonplan.mvc

/WebGoat/service/hint.mvc

/WebGoat/CrossSiteScripting.lesson.lesson

/WebGoat/service/solution.mvc

/WebGoat/service/lessoninfo.mvc

Risk

By default, web browsers and proxies aggressively cache web content, including pages as well as their static content. In response to the given URL(s), the application doesn't effectively inform the browsers to not save this content on the client side.

Recommendation to fix this finding

There are a couple ways in the HTTP response to tell the browser and any intervening proxies to not cache this data. Given the
ever increasing number of browser and proxy version permutations, keeping up to date with what browser or proxy requires
what cache control is hard, and thus our recommendation is to issue a combination of caching controls in
order to properly inform user agents of different types of the application's intentions.

Issuing only a subset of these controls guarantees that some version of some browser or proxy will retain the page data when it shouldn't.

The easiest way to prevent this issue from occurring in Java EE applications is to add these
setHeader() calls to a servlet filter for all sensitive content:

response.setHeader("Cache-Control","no-store, no-cache, must-revalidate"); //HTTP 1.1 controls 
response.setHeader("Pragma","no-cache"); //HTTP 1.0 controls
response.setDateHeader ("Expires", 0); //Prevents caching on proxy servers

If setting headers is difficult in your infrastructure, you can also simulate them via
meta tags in the HTML sent to the browser:

<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="0">

At a minimum, Contrast expects to see a Cache-Control setting that contains
no-store and no-cache. This will alleviate client-side browser caching
concerns in modern browsers. This control can be delivered with a setHeader() call or
a &lt;meta&gt; tag.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sourabhkatti