Posts

Showing posts from February, 2011

Few common web.xml misconfigurations-Part II

Well my colleague Sam says, I am slowing down on posts as I had written last one long time back :).
Here's my first in this month, second and concluding part of the last months series.
Few more mis-configurations:Refer-http://software-security.sans.org
4. SSL Not Configured:
No need to tell explicitly why SSL is necessary. Its protects the transit communications from sniffing,tampering by encrypting it and also-more important provides authentication. So confidentiality is preserved. Configure it as following:

<security-constraint>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

</security-constraint>

5. Not marking Cookies as 'HTTPOnly':

Cookies marked with HTTPOnly ensures that the cookies can not be accessed by javascripts in browsers making it more safe against most of the and common Cross-Site Scripting attacks (XSS)-still possible with Cross Site Tracing (XST) attacks though.
Use the follo…