Library tutorials & articles

Top 10 Application Security Vulnerabilities in Web.config Files - Part One

  • Comments (1)
  • PDF
  • AddThis
By Bryan Sullivan, published on 14 May 2007
Page 5 of 6
  1. Introduction
  2. Custom Errors Disabled
  3. Leaving Tracing Enabled in Web-Based Applications
  4. Debugging Enabled
  5. Cookies Accessible through Client-Side Script
  6. Cookieless Session State Enabled

Cookies Accessible through Client-Side Script

In Internet Explorer 6.0, Microsoft introduced a new cookie property called "HttpOnly." While you can set the property programmatically on a per-cookie basis, you also can set it globally in the site configuration.

Vulnerable configuration:

<configuration> 
  <system.web> 
    <httpCookies httpOnlyCookies="false">

Secure configuration:

<configuration> 
  <system.web> 
    <httpCookies httpOnlyCookies="true">

Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from Cross-Site Scripting attacks. A hacker initiates a Cross-Site Scripting (also called CSS or XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any page that accepts input from a user and echoes that input back is potentially vulnerable. For example, a login page that prompts for a user name and password and then displays "Welcome back, <username>" on a successful login may be susceptible to an XSS attack.

Message boards, forums, and wikis are also often vulnerable to application security issues. In these sites, legitimate users post their thoughts or opinions, which are then visible to all other visitors to the site. But an attacker, rather than posting about the current topic, will instead post a message such as "<script>alert(document.cookie);</script>". The message board now includes the attacker's script code in its page code-and the browser then interprets and executes it for future site visitors. Usually attackers use such script code to try to obtain the user's authentication token (usually stored in a cookie), which they could then use to impersonate the user. When cookies are marked with the "HttpOnly" property, their values are hidden from the client, so this attack will fail.

As mentioned earlier, it is possible to enable "HttpOnly" programmatically on any individual cookie by setting the "HttpOnly" property of the "HttpCookie" object to "true." However, it is easier and more reliable to configure the application to automatically enable "HttpOnly" for all cookies. To do this, set the "httpOnlyCookies" attribute of the <httpCookies> element to "true."

Comments

  1. Developer Fusion Bot
    01 Jan 1999 at 00:00

    This thread is for discussions of Top 10 Application Security Vulnerabilities in Web.config Files - Part One.

Leave a comment

Sign in or Join us (it's free).

Related tags

asp.net, internet, security, web services
Bryan Sullivan Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers mainta...

Related articles

Ask a question

Related discussion

Related podcasts

  • Episode 36: Scott Watermasysk

    This week, the Herding Code cast talks shop with Scott Watermasysk about cloud computing, blogging platforms, Internet Explorer, the DotNetOpenId project and much more: Scott W, Scott K and Jon discuss Azure, Amazon Web Services and Google App Engine. Jon asks Scott W to share his thoughts on bl...

Events coming up

Languages

Web Development

Frameworks & Architecture

Other major sections

Cancel
Want to stay in touch with what's going on? Follow us on twitter!