Re: Browser refresh sends username/password after log out -- URGENT

["Spicciati Jaime" <spicciati_jaime () bah com>]

Be cautious when using the Cache-Control directive as it may be possible
to inadvertently cache the page based on the location of the pragma
metatag. In other words if you are going to use <HTTP-EQUIV="PRAGMA"
CONTENT="NO-CACHE"> make sure that this information is not placed in the
header section, as IE has a bug which causes it to not  purge the cache
until 32 KB is recieved, meaning that if the metatag is in the first 32
KB of the page than the metatag is ignored, and the page is cached. Read
the following link for more details....

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q222/0/64.ASP&NoWebContent=1

Thanks
Jaime Spicciati
Booz Allen Hamilton

Imre Kertesz wrote:
> If I understand this correctly, the application is allowing cacheing of
> the credentials. One way to discourage this, from the application's
> perspective, is to include a script function such as <FORM
> AUTOCOMPLETE="off"> within the splash page script, as well as the
> appropriate Cache-Control directive (e.g. "Cache-Control: no-cache").
> Just the fact that this cacheing of credentials is possible within a
> banking application makes the app a potential target for attackers who
> may see it as a treasure trove of vulnerabilities.
>
> -I
>
> K Kohli wrote:
>
> > I am into remote application testing for a critical
> > banking application. The following points will make
> > the question clear
> > 1)We login and browse the banking site, do
> > transactions etc and then logout from there.
> > 2)We get a page saying you have been successfully
> > logged out
> > 3) Now we do a Back and refresh on the browser
> > window and we get a pop up "The page cannot be
> > refreshed without resending the information. Press
> > retry to sending it again ...." .
> > 4) From here we say "Retry" and watch the data
> > going in a Web Proxy.
> > 5) We are able to see the Username and password
> > again being sent to the server. When we compare
> > this request with the one sent from the first login
> > page( Where we give the username/password), both
> > are exactly the same. I feel thaat the same request
> > is being resend. This is a great security risk as
> > the credentials are being passed again.
> > 6) Can anyone explain this behaviour and how to
> > avoid the resubmission of the credentials.
> > 7) How many requests does the browser window store
> > in its temporary cache.
> >
> > =====
> > " DON'T WORRY BE HAPPY,
> >      EVERY NIGHT YOU HAVE SOME TROUBLE,
> >      IF YOU WORRY YOU MAKE IT DOUBLE,
> >      SO DON'T WORRY BE HAPPY NOW...."
>
> --
>
> -· · ···- · ·-· ·--· · - ·- -··· ··- ·-· -· ·· -· --· -·· --- --·
> "If you sit quietly at the edge of a river, eventually
> you will see the bodies of your enemies float by"
> -A maxim of patience, author unknown
>
> Imre Kertesz
> 480.363.1492
> PGP ID: 0x1C1E5054