Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: Meredith S <MeredithS () PWAOR COM>
Date: Fri, 1 Sep 2000 09:53:07 +0100
I would consider it a breach of security as well, considering you can specify *not* to cache by setting a value it the page's header. in .asp this is as trivial as adding <% Response.Expires = 0 %> to the beginning of this page (i wouldn't know how to do it with anything else, as i'm not a web developer). The resturant analogy isn't entirely accurate. If you go to a resturant and hand the waitress your credit card, and she reappears wearing a mink or never reappears at all, then you have some idea what happens. If a page is recovered from cache in a publicly accessible environment, then there is no way of backtracking. Or even telling where the page was recovered from (there could be a proxy server somewhere on the network). [snip]
Stuff like (encrypted) pages being stored in the cache, and so available to any/all users of the same computer are often considered by the press to be breaches in security, but fundamentally you must look at the comparitive risk - do you use your credit card in resturants?
[snip]
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Nexus (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Meredith S (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Domenico De Vitto (Sep 07)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Meredith S (Sep 01)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Nexus (Sep 01)