Comments (22)
I'd recommend clarifying no-cache
and no-store
into separate [split] requirements.
from asvs.
... and like usual - 0 arguments. What is the reason to have requirement for no-cache
in ASVS?
from asvs.
... and like usual - 0 arguments. What is the reason to have requirement for
no-cache
in ASVS?
no-cache
is configured by ASP.NET Core Data Protection
to prevent CSRF for example.
from asvs.
... and can you explain me, how no-cache
value in Cache-Control
HTTP response header prevents CSRF attack?
from asvs.
... and can you explain me, how
no-cache
value inCache-Control
HTTP response header prevents CSRF attack?
The Synchronizer Token within the Response shouldn't be cached.
from asvs.
Your comments are technically incompetent.
Do you actually understand that no-cache
does not disallow caching which is quoted in the issue and which is the main point of the issue?
from asvs.
Your comments are technically incompetent.
Do you actually understand that
no-cache
does not disallow caching which is quoted in the issue and which is the main point of the issue?
Can @elarlang withdraw this comment based on the extract of https://learn.microsoft.com/en-us/aspnet/core/performance/caching/middleware please?
from asvs.
No. My comment is valid.
Additionally you should understand the difference between cache for middleware (which you are referring) and the cache configuration for browser (which is the issue here).
from asvs.
no-cache
prevents CSRF by forcing the web browser to revalidate the Synchronizer Token with the web server before sending the POST request.
Please let me know if you still disagree @elarlang?
from asvs.
no-cache prevents CSRF by forcing the web browser to revalidate the Synchronizer Token with the web server before sending the POST request.
And you don't dare here to explain, how and why this no-cache
actually works in this process? I assume (which is in general bad thing to do) that there is extra HTTP request to achieve fresh tokens before data-changing request (in your example HTTP request with POST method). But it's not possible to read it out from your line - how browser is revalidating it.
Setting no-cache
is not defence against CSRF. If you cache tokens, you may cause new vector to do it or just break functionality (because client sends invalid tokens), but it's not defense against CSRF. You are just copy-pasting lines from ASP NET manual without understanding the context (middleware vs browser cache).
from asvs.
Relevant quotes from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#no-cache which should hopefully change your opinion @elarlang
- the response must be validated with the origin server before each reuse, even when the cache is disconnected from the origin server.
- If you want caches to always check for content updates while reusing stored content, no-cache is the directive to use. It does this by requiring caches to revalidate each request with the origin server.
- no-cache allows caches to store a response but requires them to revalidate it before reuse.
from asvs.
Change my opinion on what?
The topic here is - client-side cache and sensitive data. Which means you are not allowed to store any cache on the client side (edit: anywhere) and if you don't have any cache on the client side, validating it is not the case.
Just stop digging your hole deeper.
from asvs.
I'll double check that CSRF controls include Cache-Control: no-cache
elsewhere in ASVS.
8.2.1 does not mandate Cache-Control: no-cache
but "anti-caching headers" should be reworded to infer setting Cache-Control: no-store
with a suitable an antonym.
from asvs.
As far as I can tell, the CSRF point here is very niche and probably not worth having its own requirement.
@elarlang, I found this blog on caching which would seem to indicate that a more complex config is needed to fully eliminate caching.
from asvs.
The blog gives nice overview, but also kind of agrees with my question. To avoid caching sensitive data on the client-side (browser) the best option is to use no-store
- it still writes it to memory.
The main point of the issue - from pen-testing I see often, that there is only no-cache
set for Cache-Control
, but the value is misleading and it's not correct / enough.
The rest is mostly configuring cache-server and this is the requirement 8.1.1
# | Description | L1 | L2 | L3 | CWE |
---|---|---|---|---|---|
8.1.1 | [MODIFIED, MERGED FROM 8.1.2] Verify that the application prevents sensitive data from being cached in server components such as load balancers and application caches or ensures that the data is securely purged after use. | ✓ | ✓ | 524 |
from asvs.
it still writes it to memory.
We should limit this ASVS Requirement to Cache-Control: no-store
as recovering the sensitive data from memory is outside the threat model of ASVS.
from asvs.
So what do you think about:
[MODIFIED] Verify the application sets sufficient anti-caching headers (including but not limited to Cache-Control: no-store) so that sensitive data is not cached in modern browsers.
from asvs.
I've removed "including but not limited to" as this is open to interpretation, where the developer will select the less secure control, and Cache-Control: no-store
explicit @tghosth
[MODIFIED] Verify the application sets sufficient anti-caching headers (
including but not limited toi.e.Cache-Control: no-store
) so that sensitive data is not cached in modern browsers.
Should we define another requirement for Cache-Control: no-cache
for CSRF, which was discussed within #795 without the explicit Cache-Control: no-cache
callout?
from asvs.
I also think that the part including but not limited to
is not needed in the requirement.
But this no-cache vs csrf topic is non-stop facepalm here. Just stop it.
from asvs.
So @elarlang you also prefer:
[MODIFIED] Verify the application sets sufficient anti-caching headers (i.e. Cache-Control: no-store) so that sensitive data is not cached in modern browsers.
from asvs.
I'd removed the reference to the word "cache" in its entirety with as little reference to the cache control header @tghosth
[MODIFIED] Verify the application sets sufficient cache control headers (i.e. Cache-Control: no-store
) so that sensitive data is not cached retained in by modern browsers.
from asvs.
It will be in memory or DOM anyway, can not take away that.
from asvs.
Related Issues (20)
- Request for Reevaluation of ASVS Item 10.3.3 Related to Subdomain Takeovers HOT 26
- Masking Sensitive Information in Category 8 HOT 23
- Discourage the use of Stateless Sessions (and therefor the usage of JWT for session) HOT 10
- Consideration for Memcache Injection Vulnerabilities HOT 16
- Consideration for Excluding Item 14.5.6 HOT 4
- 7.2 covering "Security Events" HOT 1
- 1.7.1 - do we need to require common logging format? HOT 6
- Section and requirement relevance questions HOT 2
- Consideration for HTTP/3 Security HOT 6
- Suggestion for Reconsideration of ASVS Requirement 8.3.1 Classification HOT 6
- Opportunistic Session Termination HOT 20
- recommendations chapter HOT 3
- Require case-sensitive password matching? HOT 11
- 14.4 section (HTTP Security Headers) rename / find better category-section for "content-type" requirements. HOT 2
- proposal: new requirement for disallowing search engines to crawl and index the content HOT 8
- 2.2.2 and 2.7.1 are duplicates HOT 2
- 2.7.5 is a security problem and weakness HOT 8
- 2.7.6 and 2.7.7 are in conflict HOT 6
- discussion/proposal: disallow user-autologin to an application using SSO sessions HOT 3
- Inclusion of Cypher Injection Prevention for Neo4j in ASVS 5.3.4 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.