Skip to main content

Posts

Showing posts from February, 2011

Few common web.xml misconfigurations-Part II

Well my colleague Sam says, I am slowing down on posts as I had written last one long time back :). Here's my first in this month, second and concluding part of the last months series . Few more mis-configurations: Refer-http://software-security.sans.org 4. SSL Not Configured: No need to tell explicitly why SSL is necessary. Its protects the transit communications from sniffing,tampering by encrypting it and also-more important provides authentication. So confidentiality is preserved. Configure it as following: <security-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> 5. Not marking Cookies as 'HTTPOnly': Cookies marked with HTTPOnly ensures that the cookies can not be accessed by javascripts in browsers making it more safe against most of the and common Cross-Site Scripting attacks (XSS)-still possible with Cross Site Tracing (XST) attacks though.