search

OWASP / wstg

The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
https://owasp.org/www-project-web-security-testing-guide/
Creative Commons Attribution Share Alike 4.0 International
7.04k stars 1.3k forks source link

Possible error in 4.4.6 Testing for Browser Cache Weaknesses #1077

Open aBUDmdBQ opened 1 year ago

aBUDmdBQ commented 1 year ago

What's the issue? In 4.4.6 Testing for Browser Cache Weaknesses in the paragraph Browser History it says: "The Back button can be stopped from showing sensitive data. This can be done by:

Delivering the page over HTTPS.
Setting Cache-Control: must-revalidate

" In a recent penetration test I had the issue that by using the back button after logging out I could retrieve the information previously shown again. I then modified the headers in the response to see if the advise from above works. At least in Firefox it did not, for other browsers I did not test it. After setting Cache-Control: must-revalidate the information could still be retrieved in the described way.

How do we solve it? According to https://stackoverflow.com/questions/49547/how-do-we-control-web-page-caching-across-all-browsers the correct setting for the headers are:

Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0

At least in my tests I could confirm that these headers resolved the issue.

Would you like to be assigned to this issue? Check the box if you will submit a PR to fix this issue. Please read CONTRIBUTING.md.

ThunderSon commented 1 year ago

@kingthorin what do you think? That section below it, about the browser cache mentions those 3 headers.

Testing between cache and history is a slightly tricky game, should we partially merge the section and recommendations?

mademarc commented 11 months ago

Hey @aBUDmdBQ how can i help and contribute to resolve this issue?

please let me know and thanks

kingthorin commented 11 months ago

The best first step would be to read the comments here and see if you agree with @ThunderSon's suggestion (he's one of the project leads 😉).

mademarc commented 11 months ago

Hey @kingthorin Yes i have read the CONTRIBUTING.md and Yeah i also agree with @ThunderSon as i have some points to help out, should i post them here on the comment section?

kingthorin commented 11 months ago

Here is good, then everyone can collaborate and land in the right place/plan.

aBUDmdBQ commented 10 months ago

Hey you all, first I want to thank you for your comments. In the section about the browser cache mentioned by @ThunderSon the must-revalidate is missing, so it is not exactly the same as in my post. From my understanding of the directives the setting no-cache, no-store, must-revalidate also seems a bit paradoxic. According to [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control] no-cache means the response can be cached but before serving it the server needs to be contacted. no-store means the response must not be cached at all. From my understanding it should be sufficient to set Cache-Control: no-store to disable the caching completely. As far as I know the Expires Header also should not be necessary if using no-store. In the case of older clients that do not support no-store you could also use max-age in the Cache-Control-Header. The Pragma Header is for legacy clients as far as I know. So as a minimum I would recommend the headers: Cache-Control: no-store Pragma: no-cache

Right now I do not have the opportunity to test this. But if I get to test it soon, I will add my findings here.