Top 10 Application Security Vulnerabilities in Web.config Files - Part One

14 May 2007 | by | Filed in
Page 5 of 6
  1. Introduction
  2. Custom Errors Disabled
  3. Leaving Tracing Enabled in Web-Based Applications
  4. Debugging Enabled
  5. Cookies Accessible through Client-Side Script
  6. Cookieless Session State Enabled

Cookies Accessible through Client-Side Script

In Internet Explorer 6.0, Microsoft introduced a new cookie property called "HttpOnly." While you can set the property programmatically on a per-cookie basis, you also can set it globally in the site configuration.

Vulnerable configuration:

<configuration> 
  <system.web> 
    <httpCookies httpOnlyCookies="false">

Secure configuration:

<configuration> 
  <system.web> 
    <httpCookies httpOnlyCookies="true">

Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from Cross-Site Scripting attacks. A hacker initiates a Cross-Site Scripting (also called CSS or XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any page that accepts input from a user and echoes that input back is potentially vulnerable. For example, a login page that prompts for a user name and password and then displays "Welcome back, <username>" on a successful login may be susceptible to an XSS attack.

Message boards, forums, and wikis are also often vulnerable to application security issues. In these sites, legitimate users post their thoughts or opinions, which are then visible to all other visitors to the site. But an attacker, rather than posting about the current topic, will instead post a message such as "<script>alert(document.cookie);</script>". The message board now includes the attacker's script code in its page code-and the browser then interprets and executes it for future site visitors. Usually attackers use such script code to try to obtain the user's authentication token (usually stored in a cookie), which they could then use to impersonate the user. When cookies are marked with the "HttpOnly" property, their values are hidden from the client, so this attack will fail.

As mentioned earlier, it is possible to enable "HttpOnly" programmatically on any individual cookie by setting the "HttpOnly" property of the "HttpCookie" object to "true." However, it is easier and more reliable to configure the application to automatically enable "HttpOnly" for all cookies. To do this, set the "httpOnlyCookies" attribute of the <httpCookies> element to "true."

You might also like...

Comments

About the author

Bryan Sullivan United States

Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the

  • www.spidynamics.com

    • Interested in writing for us? Find out more.

    ASP.NET tutorials

    ASP.NET books

    ASP.NET forum discussion

    ASP.NET podcasts

    • IBM developerWorks: TWOdW: Save data energy and pull down old silos

      Published 8 years ago, running time 0h2m

      Last month, we highlighted a demo on how to integrate reverse-proxy WebSEAL (found in the IBM Security Access Manager solution) with the SAP NetWeaver Application Server ABAP. Now developerWorks has provided a wrapper of resources around the video to help you identify opportunities to learn more

    Contribute

    Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

    Web Development

    Developer Jobs

    Our tools

    We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

    Cancel
    “To iterate is human, to recurse divine” - L. Peter Deutsch