CWE-525
Use of Web Browser Cache Containing Sensitive Information
The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Mitigation
Phase: Architecture and Design
Description:
- Protect information stored in cache.
Mitigation
Phase: Implementation
Description:
- Use a restrictive caching policy for forms and web pages that potentially contain sensitive information, such as "no-cache" in the Cache-Control header.
Mitigation
Phase: Architecture and Design
Description:
- Do not store unnecessarily sensitive information in the cache.
Mitigation
Phase: Architecture and Design
Description:
- Consider using encryption in the cache.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.