Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.

Solution

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'.

Alternatively, this can be set in the HTML header by:

<META HTTP-EQUIV='Pragma' CONTENT='no-cache'>

<META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'>

but some browsers may have problem using this method.

Reference

How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067

Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064

CWE Id

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

WASC Id

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

Description

A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers.

Reference

CWE Id

WASC Id

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers.

Reference

CWE Id

WASC Id

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

WASC Id

Description

A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

Solution

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers.

Reference

CWE Id

WASC Id

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

Solution

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Reference

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp

CWE Id

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

WASC Id

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.

Reference

http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

WASC Id

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'.

This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.

Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Reference

Description

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Solution

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching