Information Exposure Through Browser Caching| ID: 525 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
For each web page, the application should have an appropriate
caching policy specifying the extent to which the page and its form fields
should be cached.
Applicable PlatformsNone
Time Of Introduction
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | Browsers often store information in a client-side cache, which can
leave behind sensitive information for other users to find and exploit,
such as passwords or credit card numbers. The locations at most risk
include public terminals, such as those in libraries and Internet
cafes. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Protect information stored in cache. | | |
| Architecture and DesignImplementation | | Use a restrictive caching policy for forms and web pages that
potentially contain sensitive information. | | |
| Architecture and Design | | Do not store unnecessarily sensitive information in the cache. | | |
| Architecture and Design | | Consider using encryption in the cache. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-525 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| Anonymous Tool Vendor (under NDA) | | | |
| OWASP Top Ten 2004 | A2 | Broken Access Control | CWE_More_Specific |
| OWASP Top Ten 2004 | A3 | Broken Authentication and Session
Management | CWE_More_Specific |
References:None
