Redmine

<html>

<head>

<META http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Web application Scanning Report for https://11.111.11.111:1111/redmine/</title>

</head>

<body text="#000000">

<p>

<strong>unauthenticated scan</strong>

</p>

<p>

</p>

<p>

<strong>Summary of Alerts</strong>

</p>

<table width="45%" border="0">

<tr bgcolor="#666666">

<td width="45%" height="24"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Risk 

      Level</font></strong></td><td width="55%" align="center"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Number 

      of Alerts</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8">

<td><font size="2" face="Arial, Helvetica, sans-serif"><a href="#high">High</a></font></td><td align="center"><font size="2" face="Arial, Helvetica, sans-serif">0</font></td>

</tr>

<tr bgcolor="#e8e8e8">

<td><font size="2" face="Arial, Helvetica, sans-serif"><a href="#medium">Medium</a></font></td><td align="center"><font size="2" face="Arial, Helvetica, sans-serif">9</font></td>

</tr>

<tr bgcolor="#e8e8e8">

<td><font size="2" face="Arial, Helvetica, sans-serif"><a href="#low">Low</a></font></td><td align="center"><font size="2" face="Arial, Helvetica, sans-serif">23</font></td>

</tr>

<tr bgcolor="#e8e8e8">

<td><font size="2" face="Arial, Helvetica, sans-serif"><a href="#info">Informational</a></font></td><td align="center"><font size="2" face="Arial, Helvetica, sans-serif">0</font></td>

</tr>

</table>

<p></p>

<p></p>

<p>

<strong>Alert Detail</strong>

</p>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/login</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/login?back_url=https%3A%2F%2F11.111.11.111%3A1111%2Fredmine%2F</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/account/lost_password</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/javascripts/application.js</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/javascripts/jquery-1.11.1-ui-1.11.0-ujs-3.1.1.js</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/plugin_assets/redmine_agile/stylesheets/redmine_agile.css</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/stylesheets/application.css</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="orange" height="24">

<td width="20%" valign="top"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif"><a name="medium"></a>Medium (Warning)</font></strong></td><td width="80%"><strong><font color="#FFFFFF" size="2" face="Arial, Helvetica, sans-serif">Secure page browser cache</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Secure page can be cached in browser.  Cache control is not set in HTTP header nor HTML header.  Sensitive content can be recovered from browser storage.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/stylesheets/jquery/jquery-ui-1.11.0.css</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. </p>

<p align="justify">Alternatively, this can be set in the HTML header by: </p>

<p align="justify">&lt;META HTTP-EQUIV='Pragma' CONTENT='no-cache'&gt; </p>

<p align="justify">&lt;META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'&gt; </p>

<p align="justify">but some browsers may have problem using this method.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">How to prevent caching in Internet Explorer - http://support.microsoft.com/default.aspx?kbid=234067</p>

<p align="justify">Pragma: No-cache Tag May Not Prevent Page from Being Cached - http://support.microsoft.com/default.aspx?kbid=222064</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="yellow" height="24">

<a name="low"></a><td width="20%" valign="top"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Low (Warning)</font></strong></td><td width="80%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Incomplete or no cache-control and pragma HTTPHeader set</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Parameter</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">max-age=0, private, must-revalidate</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching</p>

</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="yellow" height="24">

<a name="low"></a><td width="20%" valign="top"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Low (Warning)</font></strong></td><td width="80%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Cookie set without secure flag</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Parameter</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">_redmine_session=akZORkpDM2dYamo3eTc5bk53cHFoOHVrNldoZ2JReG5DUzlhczg1eXduL0NURGRycnlsL3FOTm5xWFhZc0NUdU9uay9pMEh4U2E2YzNhd1RDL3p2NE1OK3RHR2crSHBhYitiUHhZT0ovQ3FBUjYrMW5ycE5ibStBRStDM2x0dnlNN3MwTHZPRFA2SzdySzRMdFh6MXNmK1QwUTh2azI5K0Izb1ZKVStPT1lIaXdid1d1M0hHQjkzYjJibmFsMEV6LS1ET08zNmtYYU1jVi9KYzBLNWtwYml3PT0%3D--3c51ea1f329064339cada37135f905d54b5763fb; path=/; HttpOnly</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>WASC Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">13</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="yellow" height="24">

<a name="low"></a><td width="20%" valign="top"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Low (Warning)</font></strong></td><td width="80%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Password Autocomplete in browser</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input.  Passwords may be stored in browsers and retrieved.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Parameter</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">input</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Attack</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">&lt;input type="password" name="password" id="password" tabindex="2" /&gt;</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">http://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp</p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">525</font></td>

</tr>

</table>

<p></p>

<table width="100%" border="0">

<tr bgcolor="yellow" height="24">

<a name="low"></a><td width="20%" valign="top"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Low (Warning)</font></strong></td><td width="80%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Private IP disclosure</font></strong></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Description</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body.  This information might be helpful for further attacks targeting internal systems.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">URL</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">https://11.111.11.111:1111/redmine/</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Attack</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">11.111.11.111:1111</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%">

<blockquote>

<font size="2" face="Arial, Helvetica, sans-serif">Other information</font>

</blockquote>

</td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">11.111.11.111:1111

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Solution</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify">Remove the private IP address from the HTTP response body.  For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers.</p>

</font></td>

</tr>

<TR vAlign="top">

<TD colspan="2"></TD>

</TR>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>Reference</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">

<p align="justify"></p>

</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">

<p>CWE Id</p>

</font></td><td width="80%"><font size="2" face="Arial, Helvetica, sans-serif">200</font></td>

</tr>

<tr bgcolor="#e8e8e8" valign="top">

<td width="20%"><font size="2" face="Arial, Helvetica, sans-serif">