Cached form fields
Need
Prevention of sensitive information leakage through cached form fields
Context
• Requirement of Ruby 2.0 or higher for running the application
• Usage of Rails framework for building web applications
Description
1. Non compliant code
class UsersController < ApplicationController
  def new
    @user = User.new
  end
  def create
    @user = User.new(user_params)
      redirect_to @user...This code is a standard implementation of a form in a Ruby on Rails application. It creates a new User object and then saves it to the database if the input is valid. The form fields are not explicitly disabled from being cached by the browser. The vulnerability lies in the fact that sensitive information such as name, email, password, and password confirmation are not protected from caching. This means that if a user fills out this form and then leaves the page without submitting, the form data can be stored in the browser's cache. This cached data can then potentially be accessed by an attacker, who could use it for malicious purposes. This vulnerability is especially concerning for shared or public computers, where multiple users might use the same browser. If one user enters sensitive information into the form and then leaves the page without submitting, the next user could potentially retrieve this information from the cache. In this particular code, the vulnerability could be exploited to gain unauthorized access to user accounts, as it exposes both the email (which is often used as a username) and the password. This could lead to data breaches and other security incidents.
2. Steps
• Disable caching of input fields in the application
• Add the 'autocomplete' attribute to form fields and set it to 'off'
• Use secure HTTP headers to prevent caching of sensitive information
• Implement CSRF protection to prevent cross-site request forgery attacks
3. Secure code example
class UsersController < ApplicationController
  before_action :set_cache_buster
  def new
    @user = User.new
  end
    @user = User.new(user_params)...The updated code includes a `before_action` callback `set_cache_buster` that is called before every action in the `UsersController`. This method sets HTTP headers to prevent the browser from caching the response. The `Cache-Control` header is set to `no-cache, no-store, max-age=0, must-revalidate` which tells the browser not to cache the response. The `Pragma` header is set to `no-cache` which is a fallback for HTTP/1.0 clients. The `Expires` header is set to a date in the past, telling the browser that the response is already expired and should not be cached. This will prevent the caching of form fields and sensitive information in the browser's cache, mitigating the risk of information leakage. Please note that this is a server-side solution. For a complete solution, you should also set the `autocomplete` attribute to `off` on the form fields in your views to instruct the browser not to cache input values.
References
• 065. Cached form fields