Skip to content

CWE-402: Transmission of Private Resources

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application transmitted sensitive information to external domains or unauthorized contexts. Evidence includes sensitive data in HTTP responses sent to third-party domains, credentials/tokens visible in referrer headers, or private data appearing in client-side JavaScript accessible to other origins. Network traffic analysis shows sensitive values leaving the application's trust boundary.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-402 typically indicate that HTTP responses containing private or user-specific data were returned without appropriate cache-control directives, such as:

  • Missing or incorrect Cache-Control headers
  • Absence of no-store, no-cache, or private directives
  • Sensitive responses being cacheable by shared proxies or browsers

Evidence is based on response headers and observed caching behavior, not on request parameters or payloads.

Mapping DAST Findings to Source Code

CWE-402 does not map to a specific vulnerable parameter.
The issue resides in how HTTP responses containing sensitive data are constructed and how cache-control headers are applied.

When tracing this issue in code, look for:

  • Response construction logic for authenticated or user-specific data
  • Missing or incorrect Cache-Control, Pragma, or Expires headers
  • Framework defaults that allow caching of dynamic responses
  • Reverse proxy or CDN configurations that cache sensitive responses

Remediation

Core Principle: Never allow responses containing private or user-specific data to be cached or reused by shared intermediaries; caching behavior must be explicitly controlled by the server.

Verification and Follow-Up Testing

After applying the fix:

Verify Response Headers

  • Confirm responses containing sensitive data include appropriate cache-control directives (e.g., no-store, no-cache, private)
  • Verify headers are consistent across authenticated and unauthenticated flows

Test Caching Behavior

  • Access the same resource across multiple sessions or users
  • Confirm private data is not reused or exposed

Re-run DAST Scanner

Re-run the dynamic scanner to confirm private responses are no longer cacheable.

Additional Resources