Re: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header.

From: Mark Phippard <markphip_at_gmail.com>
Date: Wed, 18 Dec 2013 10:43:00 -0500

This is not the right mailing list.

You posted this to the users@ mailing list for Subversion.

You can find the users@ list for the Apache HTTP Server on this web page:

http://httpd.apache.org/lists.html#http-users

On Wed, Dec 18, 2013 at 10:22 AM, Meir Renford <meirre_at_mellanox.com> wrote:

> Hi,
>
> I was referred to this mailing list regarding this bug:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55896#add_comment
>
>
>
> When running OWASP ZAP web security tool, I get the following flag:
>
> Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.
>
>
>
> I was surprised since I had the no cache header in both html code and httpd header.
>
>
>
> After investigating the flag, I noticed that the response was a generic 302 found error response from Apache (located in apache/src/modules/http/http_protocol.c).
>
>
>
> full response given:
>
> header:
>
> HTTP/1.1 302 Found
>
> Date: Sat, 30 Nov 2013 10:44:40 GMT
>
> Server: Apache
>
> X-Frame-Options: DENY
>
> Location: https://10.209.0.81/admin/launch?script=rh&template=login&v_error=Incorrect%20user%20id%20or%20password.&f_user_id=ZAP
>
> Content-Length: 376
>
> Content-Type: text/html; charset=iso-8859-1
>
>
>
> body:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>
> <html><head>
>
> <title>302 Found</title>
>
> </head><body>
>
> <h1>Found</h1>
>
> <p>The document has moved here.</p>
>
> <hr>
>
> <address>Apache Server at 10.209.0.81 Port 443</address>
>
> </body></html>
>
>
>
>
>
> In conclusion:
>
> 1. Issue is "Secure page can be cached in browser." (found by owasp zap) for https page response "302 Found" from Apache.
>
> 2. Apache httpd bugs team indicated that this is not a bug in their side.
>
>
>
> I fail to understand then,
>
> 1. If No "no-cahce" flag was entered in the header, how could the response avoid being cached by the browser?
>
> 2. If it is not explicitly mentioned, isn't it a security risk over apache generic response?
>
>
>
> Would appreciate your help/advice.
>
>
>
> Thanks,
>
> Meir
>
>
>

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/

Received on 2013-12-18 16:43:53 CET

This message: [ Message body ]
Next message: Cooke, Mark: "(py)svn_load_dirs and Qt vendor branch?"
Previous message: Meir Renford: "Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header."
In reply to: Meir Renford: "Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]