Industry standard vulnerability scanner Dynamic Application Security Testing (DAST) reported Browser Cache directive as a vulnerability in Embedded Entitlement Manager.
Description
The response browser cache headers allow response caching. If the response contains sensitive information then it may be leaked into the browser cache.
By default, a response is cacheable if the requirements of the request method, request header fields, and the response status indicate that it is cacheable. Finally, unless specifically constrained by a cache-control directive, a caching system MAY always store a successful response as a cache entry, MAY return it without validation if it is fresh, and MAY return it after successful validation. If there is neither a cache validator nor an explicit expiration time associated with a response, we do not expect it to be cached, but certain caches MAY violate this expectation (for example, when little or no network connectivity is available). A client can usually detect that such a response was taken from a cache by comparing the Date header to the current time. Therefore, the browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder. When we ask for these pages again, the browser displays them from its cache. Logging out from an application obviously does not clear the browser cache of any sensitive information that might have been stored.
Recommendation
Update Cache-Control http header to include no-store directive. The purpose of this directive is to prevent the inadvertent release or retention of sensitive information. The suggested HTTP response headers are:
Cache-Control: no-cache, no-store
Expires: 0
Pragma: no-cache
URL: https://hostname:5250/spin/eiam/eiam.csp
Proof
HTTP/1.1 200 OK Date: Fri, 06 Nov 2020 02:11:28 GMT Content-Length: 9766 Content-Type: text/html; charset=utf-8 Server: iGateway Set-Cookie: spin=7105f25f14692a5db2076e7ec23e58f-5fa103ef-1c17f450-bbf8;Secure ;HttpOnly; path=/spin/
Proof Description
Cache-control is missing the no-store directive. Unless specifically constrained by a cache-control directive, a caching system MAY always store a successful response as a cache entry.
Release : 12.6
Component : WA AE/AUTOSYS RELATED EEM
The Spin ID identified does not contain any sensitive information especially session related stuff with which one can launch an attack on the EEM server.