Sensitive Fields Cached


Description

The application caches sensitive form fields. Form field data is cached during an HTTP POST request and can be replayed by clicking the browser’s Back or Refresh buttons. This will cause the browser to resubmit the POST request and resend the data. An attacker with local access to the browser can use this vulnerability to access the sensitive data.

Impact

An attacker with local access to a user’s machine is able to exploit this vulnerability by causing the browser to resubmit the form data. This information can be easily captured using a local proxy to intercept the traffic. If the form includes authentication information, the attacker can resubmit the request and login as the user. Once the attacker can impersonate the user, they can gain access to sensitive information and functions.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply