Details
Alert ID 10049-3
Alert Type Passive
Status beta
Risk Informational
CWE 524
WASC 13
Technologies Targeted All
Tags CWE-524
WSTG-V42-ATHN-06
More Info Scan Rule Help

Summary

The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where “shared” caching servers such as “proxy” caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

Solution

Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user: Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Expires: 0 This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.

Other Info

In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.

References

Code

org/zaproxy/zap/extension/pscanrulesBeta/CacheableScanRule.java