Web App Hacking: Caching Problems

Caching problems can lead to very severe consequences. This course will teach you different types of problems, common mistakes, and countermeasures related to cache processing in modern web applications.
Course info
Rating
(56)
Level
Beginner
Updated
May 10, 2017
Duration
45m
Table of contents
Description
Course info
Rating
(56)
Level
Beginner
Updated
May 10, 2017
Duration
45m
Description

Caching problems are underestimated by developers and security engineers. In this course, Web App Hacking: Caching Problems, you'll learn why this subject is important and how severe consequences can happen as a result of caching problems. First, you'll see that sensitive data from your web application can be exposed to everyone on the Internet as a result of Google Caching. Next, you'll discover how your password can be cached in plaintext as a result of cacheable HTTPS responses. After that, you'll see how credit card data can be insecurely processed in terms of cache. Then, you'll learn why sensitive data should never be sent in the URL. Finally, you'll explore how the caching problems, that are discussed in this course, are related to industry best practices. By the end of the course, you'll know how to test web applications for different types of caching problems.

About the author
About the author

Dawid Czagan is listed among the Top 10 Hackers by HackerOne. He has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, and other companies. Due to the severity of these bugs, he has received numerous awards for his findings.

More from the author
More courses by Dawid Czagan
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone. My name is Dawid. Welcome to my course, Web App Hacking: Caching Problems. I am a security instructor, researcher, and bug hunter. Caching problems are underestimated by developers and security engineers, and in this course I will show you why this subject is important and how severe consequences can happen as a result of caching problems. You will learn that sensitive data from your web application can be exposed to everyone on the internet as a result of Google caching. You will see how HTTPS-protected responses can be cached in plain text. I will explain how credit card data can be insecurely processed in terms of cache. You will learn why sensitive data should never be sent in the URL. And I will show you how the caching problems that I discuss in this course are related to industry best practices. for different types of caching problems. You will also learn how to prevent these problems from happening. I hope you will join me on this journey to learn about caching problems, with the Web App Hacking: Caching Problems course, at Pluralsight.

Google Caching
In this module, I will discuss Google Caching. I will show you how sensitive data from your web application can be exposed to everyone on the internet as a result of Google caching. From a technical point of view, I will discuss Google indexing and Google caching, and I will also show you how to use Google Search functionality to check if some sensitive data from your own web application has already been cached by Google.

Cacheable HTTPS Responses
In this module, I will discuss Cacheable HTTPS Responses. First, I will explain why using secure HTTPS is not enough. Then I will discuss how HTTPS-protected responses can be insecurely processed, and I will demonstrate how your password can be cached in plaintext as a result of cacheable HTTPS responses. Passwords are very sensitive data, and sensitive data should never be stored in plaintext. That's why this subject is worth discussing.

Caching of Credit Card Data
In this module, I will discuss Caching of Credit Card Data. We use credit card data every single day, and in this module I will show you what can happen if this sensitive data is insecurely processed. To be more precise, I will focus on insecure processing of sensitive data that is entered by the user into HTML form, and credit card data is a very good and practical example. You will see that credit card data can be cached in plaintext once it is insecurely processed. And of course, we don't want this sensitive data to be cached in plaintext.

Sensitive Data in the URL
In this module, I will discuss the problems related to sensitive data that is sent in the URL. I happens quite often that developers are sending sensitive data in the URL, and this is not good from a security point of view. When sensitive data is sent in the URL, then this data becomes automatically disclosed in a number of places, and that's the reason why this problem is worth discussing.

Industry Best Practices
In this module, I will discuss Industry Best Practices related to cache processing in modern web applications. First, I will introduce you briefly to OWASP ASVS, which is Application Security Verification Standard. And then I will focus on one section of this document, Data Protection Verification Requirements. It turns out that caching problems are mentioned in this particular section of OWASP ASVS, and that's the reason why this section is going to be discussed in this course.