Avoid caching and temporary files
Summary
The system must not store sensitive information in temporary files or cache memory.
Description
Applications sometimes reside in or get consumed by environments in which caching is possible. Caching helps performance or makes certain actions more comfortable for the application users. However, cached information is often more susceptible to being exposed or corrupted. Thus, avoiding cache memory and temporary files helps protect sensitive information.
References
- CWE-285. Improper authorization
- CWE-377. Insecure temporary file
- CWE-524. Use of cache containing sensitive information
- CWE-525. Use of web browser cache containing sensitive information
- EPRIVACY-4_1a. Security of processing
- GDPR-5_1f. Principles relating to processing of personal data
- OWASP10-A2. Cryptographic failures
- CERTJ-FIO03-J. Remove temporary files before termination
- NYSHIELD-5575_B_6. Personal and private information
- HITRUST-09_h. Capacity management
- OSSTMM3-11_11_1. Data networks security - Privacy containment mapping
- WASC-W_13. Information leakage
- NISTSSDF-PS_3_1. Archive and protect each software release
- PTES-7_4_4_2. Post Exploitation - Pillaging (user information on web browsers)
- OWASPSCP-8. Data protection
- ASVS-8_1_2. General data protection
- CASA-13_1_4. Generic Web Service Security
- OWASPLLM-LLM02:2025. Sensitive Information Disclosure
- OWASPLLM-LLM07:2025. System Prompt Leakage
- OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses
Weaknesses
- 019. Administrative credentials stored in cache memory
- 028. Insecure temporary files
- 038. Business information leak
- 065. Cached form fields
- 080. Business information leak - Customers or providers
- 085. Sensitive data stored in client-side storage
- 136. Insecure or unset HTTP headers - Cache Control
- 213. Business information leak - JWT
- 214. Business information leak - Credentials
- 215. Business information leak - Repository
- 216. Business information leak - Source Code
- 217. Business information leak - Credit Cards
- 218. Business information leak - Network Unit
- 219. Business information leak - Redis
- 220. Business information leak - Token
- 221. Business information leak - Users
- 222. Business information leak - DB
- 223. Business information leak - JFROG
- 224. Business information leak - AWS
- 225. Business information leak - Azure
- 226. Business information leak - Personal Information
- 227. Business information leak - NAC
- 228. Business information leak - Analytics
- 229. Business information leak - Power BI
- 230. Business information leak - Firestore
- 291. Business information leak - Financial Information
- 336. Business information leak - Corporate information
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.