CWE-525: Use of Web Browser Cache Containing Sensitive Information

Description

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

CAPEC-37

Attack TTPs

T1005 — Data from Local System (collection)
T1552.004 — Private Keys (credential-access)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Read Application Data — Notes: Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.

Potential Mitigations

Architecture and Design: Protect information stored in cache. (N/A)
Architecture and Design: Use a restrictive caching policy for forms and web pages that potentially contain sensitive information. (N/A)
Architecture and Design: Do not store unnecessarily sensitive information in the cache. (N/A)
Architecture and Design: Consider using encryption in the cache. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

N/A

Notes

No notes available.

← Back to CWE list