Avoid caching and temporary files
Summary
The system must not store sensitive information in temporary files or cache memory.
Description
Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CWE™-285. Improper authorization
- CWE™-377. Insecure temporary file
- CWE™-524. Use of cache containing sensitive information
- CWE™-525. Use of web browser cache containing sensitive information
- ePrivacy Directive-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- OWASP TOP 10-A2. Cryptographic failures
- CERT-J-FIO03-J. Remove temporary files before termination
- NY SHIELD Act-5575_B_6. Personal and private information
- HITRUST CSF-09_h. Capacity management
- OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
- WASC-W_13. Information leakage
- NIST SSDF-PS_3_1. Archive and protect each software release
- PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
- OWASP SCP-8. Data protection
- OWASP ASVS-8_1_2. General data protection
- CASA-13_1_4. Generic Web Service Security
Vulnerabilities
- 019. Administrative credentials stored in cache memory
- 028. Insecure temporary files
- 038. Business information leak
- 065. Cached form fields
- 080. Business information leak - Customers or providers
- 085. Sensitive data stored in client-side storage
- 136. Insecure or unset HTTP headers - Cache Control
- 213. Business information leak - JWT
- 214. Business information leak - Credentials
- 215. Business information leak - Repository
- 216. Business information leak - Source Code
- 217. Business information leak - Credit Cards
- 218. Business information leak - Network Unit
- 219. Business information leak - Redis
- 220. Business information leak - Token
- 221. Business information leak - Users
- 222. Business information leak - DB
- 223. Business information leak - JFROG
- 224. Business information leak - AWS
- 225. Business information leak - Azure
- 226. Business information leak - Personal Information
- 227. Business information leak - NAC
- 228. Business information leak - Analytics
- 229. Business information leak - Power BI
- 230. Business information leak - Firestore
- 291. Business information leak - Financial Information
- 336. Business information leak - Corporate information
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.