CWE-525: Use of Web Browser Cache Containing Sensitive Information
Learn about CWE-525 (Use of Web Browser Cache Containing Sensitive Information), its security impact, exploitation methods, and prevention guidelines.
What is Use of Web Browser Cache Containing Sensitive Information?
• Overview: This vulnerability occurs when a web application does not properly specify caching policies, allowing web browsers to store sensitive information such as login credentials, personal data, or payment details, which can be accessed by unauthorized users.
• Exploitation Methods:
- Attackers can exploit this vulnerability by accessing the cached data on a shared or public computer.
- Common attack patterns include physical access to a device or exploiting browser vulnerabilities to extract cached data.
• Security Impact:
- Direct consequences include unauthorized access to sensitive information.
- Potential cascading effects involve identity theft or unauthorized transactions.
- Business impact could include loss of customer trust, legal consequences, and financial losses.
• Prevention Guidelines:
- Implement appropriate HTTP headers like "Cache-Control: no-store" or "Pragma: no-cache" for pages containing sensitive data.
- Use HTTPS to ensure data is encrypted during transmission, mitigating the risk from network-level attacks.
- Regularly review and update caching policies, especially for pages with sensitive information.
- Recommended tools and frameworks include security-focused web frameworks that handle caching policies by default, and tools that perform security audits on web applications.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified