Well my colleague Sam says, I am slowing down on posts as I had written last one long time back :).
Here's my first in this month, second and concluding part of the last months series.
Few more mis-configurations:Refer-http://software-security.sans.org
4. SSL Not Configured:
No need to tell explicitly why SSL is necessary. Its protects the transit communications from sniffing,tampering by encrypting it and also-more important provides authentication. So confidentiality is preserved. Configure it as following:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
5. Not marking Cookies as 'HTTPOnly':
Cookies marked with HTTPOnly ensures that the cookies can not be accessed by javascripts in browsers making it more safe against most of the and common Cross-Site Scripting attacks (XSS)-still possible with Cross Site Tracing (XST) attacks though.
Use the following configuration:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
6. No Session Time-Out:
As a best pratcice for session management always set time-out for the applications. If the user is idle for some specific amount of time, invalidate the session that will make the application more secure against hijacking:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
The application will expire after 10 minutes of inactivity. Don't set any -ve values as it will make the application to not expire indefinitely.
7. Don't use URL parameters to store sessionIDs:
Sessions can be stored in two places mainly: Cookies and URL parameters. The last one is less secure as URLs can be logged/cached in some places like browser history. Make sure than you store sessionIDs in cookies:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Here's my first in this month, second and concluding part of the last months series.
Few more mis-configurations:Refer-http://software-security.sans.org
4. SSL Not Configured:
No need to tell explicitly why SSL is necessary. Its protects the transit communications from sniffing,tampering by encrypting it and also-more important provides authentication. So confidentiality is preserved. Configure it as following:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
5. Not marking Cookies as 'HTTPOnly':
Cookies marked with HTTPOnly ensures that the cookies can not be accessed by javascripts in browsers making it more safe against most of the and common Cross-Site Scripting attacks (XSS)-still possible with Cross Site Tracing (XST) attacks though.
Use the following configuration:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
6. No Session Time-Out:
As a best pratcice for session management always set time-out for the applications. If the user is idle for some specific amount of time, invalidate the session that will make the application more secure against hijacking:
<session-config>
<session-timeout>10</session-timeout>
</session-config>
The application will expire after 10 minutes of inactivity. Don't set any -ve values as it will make the application to not expire indefinitely.
7. Don't use URL parameters to store sessionIDs:
Sessions can be stored in two places mainly: Cookies and URL parameters. The last one is less secure as URLs can be logged/cached in some places like browser history. Make sure than you store sessionIDs in cookies:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
Posts
