Avoid caching and temporary files

Summary

The system must not store sensitive information in temporary files or cache memory.

Description

Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🟢
Squad	🟢

References

• CWE™-285. Improper authorization
• CWE™-377. Insecure temporary file
• CWE™-524. Use of cache containing sensitive information
• CWE™-525. Use of web browser cache containing sensitive information
• ePrivacy Directive-4_1a. Security of processing
• GDPR-5_1f. Principles relating to processing of personal data
• OWASP TOP 10-A2. Cryptographic failures
• CERT-J-FIO03-J. Remove temporary files before termination
• NY SHIELD Act-5575_B_6. Personal and private information
• HITRUST CSF-09_h. Capacity management
• OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
• WASC-W_13. Information leakage
• NIST SSDF-PS_3_1. Archive and protect each software release
• PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
• OWASP SCP-8. Data protection
• OWASP ASVS-8_1_2. General data protection
• CASA-13_1_4. Generic Web Service Security

Vulnerabilities

• 019. Administrative credentials stored in cache memory
• 028. Insecure temporary files
• 038. Business information leak
• 065. Cached form fields
• 080. Business information leak - Customers or providers
• 085. Sensitive data stored in client-side storage
• 136. Insecure or unset HTTP headers - Cache Control
• 213. Business information leak - JWT
• 214. Business information leak - Credentials
• 215. Business information leak - Repository
• 216. Business information leak - Source Code
• 217. Business information leak - Credit Cards
• 218. Business information leak - Network Unit
• 219. Business information leak - Redis
• 220. Business information leak - Token
• 221. Business information leak - Users
• 222. Business information leak - DB
• 223. Business information leak - JFROG
• 224. Business information leak - AWS
• 225. Business information leak - Azure
• 226. Business information leak - Personal Information
• 227. Business information leak - NAC
• 228. Business information leak - Analytics
• 229. Business information leak - Power BI
• 230. Business information leak - Firestore
• 291. Business information leak - Financial Information
• 336. Business information leak - Corporate information

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.