Abstract:

The program does not set the HttpCookie.HttpOnly property to true.

Explanation:

The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

attacker in order to masquerade as the user or obtain sensitive information.

Example 1: Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Recommendations:

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

script.

Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

page that accepts input from a user and echoes that input back is potentially vulnerable.

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Tips:

1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

with a legitimate user's identity.

最新文章

  1. sql例子
  2. VMware三个版本workstation、server、esxi的区别
  3. kuangbin_UnionFind D (HDU 3038)
  4. java list中的对象,按对象某属性排序
  5. boost之mutex scoped_lock
  6. poj 2311 Cutting Game 博弈论
  7. Linux各发行版本 优缺点 简介
  8. 20160522--20160526----mybatis入门基础
  9. web编码(转)
  10. 20151214--JSTL
  11. Python - Python2与Python3合理共存Windows平台
  12. UE4 字符串的转换
  13. chmod chown
  14. 音频标签化2:youtube-8m项目的训练、评估与测试
  15. gbdt xgboost 贼难理解!
  16. linux-Centos 7下tftp-server服务的安装与配置
  17. wifi实现串口透传
  18. 前端学习 -- Css -- 字体的几个属性学习
  19. Internal Server Error: /favicon.ico 的解决方法
  20. VMware VSAN 入门与配置(一)

热门文章

  1. java同一个类不同方法间的同步
  2. [ZZ] Equal Error Rate (EER)
  3. Maven手动下载jar
  4. (OpenCV) VS2013 + opencv-2.4.10.exe + Windows 10 开发环境配置
  5. 基于Redis、Storm的实时数据查询实践
  6. day4 函数
  7. 拥抱高效、拥抱 Bugtags 之来自用户的声音 2
  8. Android zxing 解析二维码,生成二维码极简demo
  9. AS快捷键
  10. Dimmer: 通过移动鼠标来改变 LED 的亮度