Finding by Zap tool: Web Cache Deception for Jenkins application

106 views

Skip to first unread message

Chetan Chavan

unread,

Sep 29, 2021, 3:33:42 AM9/29/21

to OWASP ZAP User Group

Hi,

I have run Zap tool on Jenkins application. I found below vulnerability and unable to resolve it. Could you please help me to get it resolved.

-------------------------------------------------------

Medium (Medium)Web Cache Deception
Description

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

URL
https://********.com/securityRealm
Method
GET
Attack
/test.css,/test.jpg,/test.js,/test.html,/test.gif,/test.png,/test.svg,/test.php,/test.txt,/test.pdf,/test.asp,
Instances
1
Solution

It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header.

Other information

Cached Authorised Response and Unauthorised Response are similar.

Matt Seil

unread,

Sep 29, 2021, 10:35:12 AM9/29/21

to zaprox...@googlegroups.com

Hi!

So this one seems pretty straightforward. ZAP is asking for example, for "GET /test.css" and the content type (likely a 404 error, but we don't know) doesn't match what would be expected when asking for a css file, which would be text/css

As to how to test this to see if you're actually vulnerable, start with a part of the application where you'd expect to download a file, and ensure that the content-type matches the content. If this matches for all the files you expect to download (html, javascript etc.) then this might be a false positive based on your application's behavior.

Note my use of the words "may," and "likely." On this list, we're not experts in your particular application so can't easily help you make final black and white decisions. You need to do this with your developers. Tools like ZAP are designed often to "put a scent in the air" in order to guide your nose to asking the right questions: they aren't definitive and they require human judgment.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1bed62dd-75d0-44f2-a3a7-6227b9d150f4n%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages