OWASP Mutillidae II: Web Pwn in Mass Production
Version: 2.6.48 Security Level: 1 (Client-side Security) Hints: Enabled (1 - 5cr1pt K1dd1e) Not Logged In
Home | Login/Register | Show Popup Hints | Toggle Security | Enforce SSL | Reset DB | View Log | View Captured Data
 
Want to Help?
 
 
 
 
Cache Control
Expand Hints Hints and Videos
Cache Control
Reconnaissance

Web applications may cache information locally to increase performance. Caching a copy on client avoids retransmission and caching is useful for images and static content.

Dynamic (i.e. interactive) pages such as forms tend to collect or display sensitive information. Some information is sensitive in any context such as SSN, CC, user profile, etc.

Some information may not be sensitive to the custodian (i.e. corporation, government) but is sensitive to the owner such as pharmacy invoice, travel arrangements, etc.

Regardless of sensitivity, information leakage may raise privacy concerns. Any content from a domain reveals the user visited the page. Even when content itself not sensitive, disclosing browsing history may be privacy violation.

Cache controls must be used when the content-type indicates the content may contain user data. Of particular concern are media types that carry user data like HTML, JSON, XML, etc. Browsers also cache documents. Document caching leaves document on the browser. This may result in information disclosure of sensitive information.

Exploitation

How to view cached items in Firefox

Type about:cache in the address bar

How to view cached items in Internet Explorer
  • In the Tools menu, choose Internet Options
  • On the General tab under Temporary Internet Files, click the Settings button
  • From the Settings dialog, click the View Files button
Nirsoft IE CacheView also useful

Reporting

RFC-7234 from the Internet Engineering Task Force (IETF) specifies caching controls. HTTP headers are used to specify caching directives (Section 5.2.1). "Cache-Control" is standard for HTTP/1.1. "Pragma": provides backwards compatibility with HTTP/1.0 clients.

Strategy for Implementing Cache Control

The correct cache-control to use depends on the type of document. Browsers can natively parse HTML, JSON, XML, CSS, JavaScript and other formats. Document formats such as PDF, DOCX, XLSX and PPTX must be handed off to other applications. Native content cache-control (aka "forms cache control") is used when the document is a type the browser parses natively:

Cache-Control: no-store, no-cache.

Static document cache-control is used when the static document is handled by an external application:

Cache-Control: no-store, no-cache, max-age=0, must-revalidate.

URI tagging or streaming document cache-control is used for streamed content.