页面浏览器缓存漏洞的安全性如何使Web应用程序安全? [英] How secure page browser cache vulnerability makes web application in secure?
问题描述
我正在使用OWASP的ZAP工具进行漏洞扫描,它显示有关安全页面浏览器缓存"漏洞的警报.以下是ZAP警报的详细信息:
I am using OWASP's ZAP tool for vulnerability scanning, it shows alert for "secure page browser cache" vulnerability. Below are the details of ZAP alert:
风险:中可靠性:警告
说明:可以在浏览器中缓存安全页面.未在HTTP标头或HTML标头中设置缓存控制.敏感内容可以从浏览器存储中恢复.
Description: Secure page can be cached in browser. Cache control is not set in HTTP header nor HTML header. Sensitive content can be recovered from browser storage.
解决方案::最好的方法是使用以下命令设置HTTP标头:编译指示:不缓存"和缓存控制:不缓存".或者,可以通过以下方式在HTML标头中进行设置:但是某些浏览器可能无法使用此方法.
Solution: The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. Alternatively, this can be set in the HTML header by: but some browsers may have problem using this method.
能否请您告诉我这个漏洞(如果未修复)将如何影响我的应用程序,以及攻击者将如何使用它来入侵该应用程序.
Can you please tell me how this vulnerability will affect my application if its not fixed and how an attacker will user it to hack the application.
推荐答案
问题在于,有权访问浏览器缓存目录中文件的任何人都可以查看应保密的信息.
The problem is that information that should be kept private can be viewed by anyone with access to the files in the browser's cache directory.
这是一个问题,尤其是对于共享计算机.如果未正确设置缓存,则在原始用户注销托管安全资料的站点之后,使用共享计算机的任何人都可以查看私人网页.
This is a problem particularly with shared computers. If caching is not set properly, then anyone using the shared computer can view the private web pages after the original user has logged off the site which is hosting the secure material.
如果计算机具有可以读取文件的恶意软件,这也可能是一个问题.该恶意软件可以从浏览器缓存中收集信息,并将其从计算机传输出去.
This can also be a problem if the computer has malware which can read files. The malware can gather information from the browser cache and transfer it off the computer.
如果缓存头设置不正确,您的应用程序将不会发生故障.但是,您可能会使用户遭受滥用其私人信息的后果.
Your application will not malfunction if the cache headers are not set properly. However, you might expose your users to the consequences of their private information being misused.
这篇关于页面浏览器缓存漏洞的安全性如何使Web应用程序安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
