Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5750

Allowing HTTP responses caching is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure allowing HTTP responses caching is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-525
    • OWASP:
      A3

      Description

      Web browsers, CDNs or similar proxy-servers can cache HTTP responses (especially large content such as images, scripts etc) to improve web browsing performance and to not overload the application serving the resources. However this may lead to privacy issues if a private web page containing personal user information is cached and served to another user. A different type of attacks allowed when caching resources at the web-browser level is cross-site leak attacks/side-channel attacks, here the attacker infers information about an user (for instance, web page he is visiting) by observing timing responses or other relevant data when requesting private resources that may be cached.

      Example of a side channel attack:

      • The attacker wants to known if a user is involved in a confidential agreement between two companies A and B.
      • If it is the case, the user can access to the resource contract-between-A-and-B.png after being authenticated on a website.
      • The attacker tricks the user to visit a malicious website containing the below code in order to determine the desired information:
      <img id="leakyimage" src=""> 
      <script language="javascript">
        leakyimage.src = "https://targetexample.com/private/contract-between-A-and-B.png";
      
        leakyimage.onload = function SideChannelObservations() {
          // compare timing between a cached image and not cached image
          // or success of load
          // in order to determine if the image is cached and so if the user has right to access to this image
        }
      </script>
      

      Ask Yourself Whether

      • The web application serves HTTP responses which contain confidential information belonging to an authenticated user for instance.
      • Resources like images or documents (contract.png, attachment.png etc...) are only accessible to private groups (authenticated, administrators ...) of users.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Implement Cache-Control HTTP header with a cacheability directive set to private in order to instruct shared caches (CDNs, proxies) to avoid caching. If the risk is too important, it is recommended to not cache anything at the web browser level too, with a cacheability directive set to no-store.

      See

        Attachments

        1.
        JavaScript RSPEC-5752 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: