We observed 11 pages which had the following insufficient cache control configurations:
/WebGoat/login
No cache controls detected
/WebGoat/service/lessonprogress.mvc
No cache controls detected
/WebGoat/service/labels.mvc
No cache controls detected
/WebGoat/service/lessonmenu.mvc
No cache controls detected
/WebGoat/service/hint.mvc
No cache controls detected
/WebGoat/service/debug/labels.mvc
No cache controls detected
/WebGoat/js/goatApp/templates/lesson_overview.html
Type of Instruction: Header
Value: no-store
How Does This Affect Caching?: The 'no-store' directive tells the browser not to store the contents on disk, but allows in-memory caching. Adding 'no-cache' would alleviate this concern.
/WebGoat/service/lessonoverview.mvc
No cache controls detected
/WebGoat/service/lessoninfo.mvc
No cache controls detected
/WebGoat/js/goatApp/templates/paging_controls.html
Type of Instruction: Header
Value: no-store
How Does This Affect Caching?: The 'no-store' directive tells the browser not to store the contents on disk, but allows in-memory caching. Adding 'no-cache' would alleviate this concern.
/WebGoat/WebGoatIntroduction.lesson.lesson
No cache controls detected
What's the risk?
By default, web browsers and proxies aggressively cache web content, including pages as well as their static content. In response to the given URL(s), the application doesn't effectively inform the browsers to not save this content on the client side.
Recommendation
There are a couple ways in the HTTP response to tell the browser and any intervening proxies to not cache this data. Given the ever increasing number of browser and proxy version permutations, keeping up to date with what browser or proxy requires what cache control is hard, and thus our recommendation is to issue a combination of caching controls in order to properly inform user agents of different types of the application's intentions.
Issuing only a subset of these controls guarantees that some version of some browser or proxy will retain the page data when it shouldn't.
The easiest way to prevent this issue from occurring in Java EE applications is to add these
setHeader() calls to a servlet filter for all sensitive content:
At a minimum, Contrast expects to see a Cache-Control setting that contains
no-store and no-cache. This will alleviate client-side browser caching
concerns in modern browsers. This control can be delivered with a setHeader() call or
a <meta> tag.
First Event
(no event)
Last Event
(no event)
HTTP Request
GET http://localhost:8080/WebGoat/login HTTP/1.0
Accept-Language: en-US,en;q=0.5
Cookie: JSESSIONID=8EF331C20B58C9D992E49BD3EC8FBB30; AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Vulnerability ID: 2YL6-OU2O-OMAT-JP27
Application Name: apple
Application Code: AAPL
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/3c77ce97-6b6e-4335-ba9c-cba8465cae64/vulns/2YL6-OU2O-OMAT-JP27
What Happened?
We observed 11 pages which had the following insufficient cache control configurations:
/WebGoat/login No cache controls detected /WebGoat/service/lessonprogress.mvc No cache controls detected /WebGoat/service/labels.mvc No cache controls detected /WebGoat/service/lessonmenu.mvc No cache controls detected /WebGoat/service/hint.mvc No cache controls detected /WebGoat/service/debug/labels.mvc No cache controls detected /WebGoat/js/goatApp/templates/lesson_overview.html Type of Instruction: Header Value: no-store How Does This Affect Caching?: The 'no-store' directive tells the browser not to store the contents on disk, but allows in-memory caching. Adding 'no-cache' would alleviate this concern. /WebGoat/service/lessonoverview.mvc No cache controls detected /WebGoat/service/lessoninfo.mvc No cache controls detected /WebGoat/js/goatApp/templates/paging_controls.html Type of Instruction: Header Value: no-store How Does This Affect Caching?: The 'no-store' directive tells the browser not to store the contents on disk, but allows in-memory caching. Adding 'no-cache' would alleviate this concern. /WebGoat/WebGoatIntroduction.lesson.lesson No cache controls detected
What's the risk?
By default, web browsers and proxies aggressively cache web content, including pages as well as their static content. In response to the given URL(s), the application doesn't effectively inform the browsers to not save this content on the client side.
Recommendation
There are a couple ways in the HTTP response to tell the browser and any intervening proxies to not cache this data. Given the ever increasing number of browser and proxy version permutations, keeping up to date with what browser or proxy requires what cache control is hard, and thus our recommendation is to issue a combination of caching controls in order to properly inform user agents of different types of the application's intentions.
Issuing only a subset of these controls guarantees that some version of some browser or proxy will retain the page data when it shouldn't.
The easiest way to prevent this issue from occurring in Java EE applications is to add these setHeader() calls to a servlet filter for all sensitive content:
response.setHeader("Cache-Control","no-store, no-cache, must-revalidate"); //HTTP 1.1 controls response.setHeader("Pragma","no-cache"); //HTTP 1.0 controls response.setDateHeader ("Expires", 0); //Prevents caching on proxy servers
If setting headers is difficult in your infrastructure, you can also simulate them via meta tags in the HTML sent to the browser:
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"></pre>
At a minimum, Contrast expects to see a Cache-Control setting that contains no-store and no-cache. This will alleviate client-side browser caching concerns in modern browsers. This control can be delivered with a setHeader() call or a <meta> tag.
First Event
(no event)Last Event
(no event)HTTP Request
GET http://localhost:8080/WebGoat/login HTTP/1.0 Accept-Language: en-US,en;q=0.5 Cookie: JSESSIONID=8EF331C20B58C9D992E49BD3EC8FBB30; AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0 Upgrade-Insecure-Requests: 1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8