Log into the Mutillidae application as admin with the password admin.
Now log out of the application by clicking the Logout button from the top menu.
Verify you are logged out by noting the Not Logged In message.
View these steps as messages in Burp's Proxy | History as well. Note the logout performs a 302 redirect in an effort to not cache cookies or credentials in the browser:
From the Firefox browser, click the back button and notice that you are now logged in as admin even though you did not log in! This is possible because of cached credentials stored in the browser and the lack of any cache-control protections set in the application.
Now refresh/reload the page in the browser, and you will see you are logged out again.
Examine the steps within the Proxy | HTTP history tab. Review the steps you did through the browser against the messages captured in the Proxy | HTTP history table:
Request 1 in the following screenshot is unauthenticate
Request 35 is the successful login (302) as admin
Request 37 is the logout of the admin account
Requests 38 and 39 are the refresh or reload of the browser page, logging us out again
There is no request captured when you press the browser's back button. This is because the back button action is contained in the browser. No message was sent through Burp to the web server to perform this action. This is an important distinction to note. Nonetheless, we found a vulnerability associated with weak browser-caching protection. In cases such as this, penetration testers will take a screenshot of the logged-in cached page, seen after clicking the back button:
