Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-525:Use of Web Browser Cache Containing Sensitive Information
Weakness ID:525
Version:v4.17
Weakness Name:Use of Web Browser Cache Containing Sensitive Information
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB524Use of Cache Containing Sensitive Information
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 524
Name: Use of Cache Containing Sensitive Information
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC723OWASP Top Ten 2004 Category A2 - Broken Access Control
MemberOfProhibitedC724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
MemberOfProhibitedC966SFP Secondary Cluster: Other Exposures
MemberOfProhibitedC1348OWASP Top Ten 2021 Category A04:2021 - Insecure Design
MemberOfProhibitedC1403Comprehensive Categorization: Exposed Resource
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 723
Name: OWASP Top Ten 2004 Category A2 - Broken Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 724
Name: OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 966
Name: SFP Secondary Cluster: Other Exposures
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1348
Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1403
Name: Comprehensive Categorization: Exposed Resource
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1348OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1348
Name: OWASP Top Ten 2021 Category A04:2021 - Insecure Design
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC966SFP Secondary Cluster: Other Exposures
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 966
Name: SFP Secondary Cluster: Other Exposures
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityN/ARead Application Data

Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.

Scope: Confidentiality
Likelihood: N/A
Impact: Read Application Data
Note:

Browsers often store information in a client-side cache, which can leave behind sensitive information for other users to find and exploit, such as passwords or credit card numbers. The locations at most risk include public terminals, such as those in libraries and Internet cafes.

▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Protect information stored in cache.

Note:

Phase:Architecture and Design, Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Use a restrictive caching policy for forms and web pages that potentially contain sensitive information.

Note:

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not store unnecessarily sensitive information in the cache.

Note:

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Consider using encryption in the cache.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      OWASP Top Ten 2004A2CWE More SpecificBroken Access Control
      OWASP Top Ten 2004A3CWE More SpecificBroken Authentication and Session Management
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A2
      Fit: CWE More Specific
      Entry Name: Broken Access Control
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A3
      Fit: CWE More Specific
      Entry Name: Broken Authentication and Session Management
      ▼Related Attack Patterns
      IDName
      CAPEC-37
      Retrieve Embedded Sensitive Data
      ID: CAPEC-37
      Name: Retrieve Embedded Sensitive Data
      ▼References
      Details not found