Abstract:
The program does not set the httpCookies.httpOnlyCookies property to true in Web.config.
Explanation:
The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script. This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information.
Example 1: Vulnerable configuration:
<configuration>
<system.web>
<httpCookies httpOnlyCookies="false">
Recommendations:
Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate cross-site scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to client-side script.
Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any page that accepts input from a user and echoes that input back is potentially vulnerable.
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true">
0 comments:
Post a Comment