Cache Control For a Sensitive Page
Lack of Cache-Control Header for a Sensitive Page
Overview of the Vulnerability
A lack of the HTTP response header for Cache-Control can lead to sensitive data being extracted from cached sessions. There are multiple HTTP response headers used in communication between the server and client which can be implemented to improve security against well documented vulnerabilities. For example, the Cache-Control security header is used to prevent cached data being accessible.
An advanced attacker can leverage a missing Cache-Control header to extract sensitive data from cached sessions in order to build a phishing profile against a target user and launch further attacks.
Business Impact
When sensitive data is being stored and transmitted by the application which does not have the Cache-Control header, an advanced attacker can access the sensitive data, phish users and cause reputational damage to the business.
Steps to Reproduce
Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
Navigate to the following endpoint using a browser: {{URL}}
Capture the request using the HTTP interception proxy and review the response
Observe that no
Cache-Controlheader is implemented within the HTTP headersClose the browser tab and any open sessions
View the cache and observe sensitive details are present
Proof of Concept (PoC)
The screenshot below demonstrates the missing header:
{{screenshot}}
Recommendation(s)
The Cache-Control header should be configured in a way that reduces the attack surface of the application. It is important to ensure that the Cache-Control heading is not too permissive for the application's needs, and has directives appropriately set such as max-age, and no-store amongst others. These directives should be set in respect to sensitivity of data being stored and transmitted by the application.
For more information, please see the following guides:
Last updated