How to connect a real device to AppUse

appsec_logo

 

In order to connect a real device you should do the following steps:

  1. Enable USB debugging mode:

a. Open your device’s “Settings.”
This can be done by pressing the Menu button while on your home screen and tapping “System Settings.”
b. Scroll to the bottom and tap “About phone.”
c. On the “About” screen, scroll to the bottom and tap on “Build number” seven times.
If you see the message “Not needed, you are already a developer!” pop up, then you know if the command succeeded.
Read more

Setting the HttpOnly Flag – PHP

PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).

For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter:

session.cookie_httponly = True

Method#1 By using ini_set function before using setcookie function.

Add the following code on the page:

ini_set("session.cookie_httponly", 1);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

Method#2 By using session_set_cookie_params function before using setcookie function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);

Method#3 By using setcookie function

Add the following code while creating cookie (not necessarily a session cookie):

setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

References

http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

http://php.net/manual/en/session.configuration.php#ini.session.cookie-ht…

Setting the HttpOnly Flag – ASP.NET

Method #1

Add the following configuration to your web.config:

<system.web>
    <httpCookies httpOnlyCookies="true"  />
</system.web>

Method #2

In the code, use the System.Web.HttpCookie.HttpOnly property:

// Create an HttpOnly cookie.
HttpCookie theHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
theHttpOnlyCookie.HttpOnly = true;
theHttpOnlyCookie.Name = "TheHttpOnlyCookie";
Response.AppendCookie(theHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(theHttpOnlyCookie.Name);

References

http://msdn.microsoft.com/en-us/library/ms533046.aspx

Setting the HttpOnly Flag – Java

For older versions of servlet

Add the following on cookie creation

String sessionid = request.getSession().getId();
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");

For servlet version 3.0 or later

Add the following lines into web.xml file

<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
<session-config>

Reference

https://www.owasp.org/index.php/HttpOnly#Using_Java_to_Set_HttpOnly

Clickjacking

Description

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on what they can see, which is the the top level page.

This is a malicious technique of tricking web users into clicking on something different from what they believe they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

This is a browser security issue that is a vulnerability throughout a variety of browsers and platforms.

See how to fix it!

Read more

Clickjacking – Java Secure Coding

Method #1 Adding the X-Frame-Options in HTTP header

 // to prevent all framing of this content
 response.addHeader( "X-FRAME-OPTIONS", "DENY" );
 
 // to allow framing of this content only by this site
 response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

Method #2 Including frame busting code

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

References

https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_E

Clickjacking – ASP.NET Secure Coding

Method #1 Adding the X-Frame-Options in HTTP header

Add the code to the Application_BeginRequest method of global.asax file

void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

Method #2 Including frame busting code

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

References

http://technet.microsoft.com/en-us/security/cc242650
http://blogs.msdn.com/b/sdl/archive/2009/02/05/clickjacking-defense-in-i…

Clickjacking protection in IIS7

Configure IIS to prevent Clickjacking

Follow the steps to do this

  • Open Internet Information Services (IIS) Manager.
  • In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  • Double-click the HTTP Response Headers icon in the feature list in the middle.
  • In the Actions pane on the right side, click Add.
  • In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  • Click OK to save your changes.
References

http://support.microsoft.com/kb/2694329

Prevention of Web Page Caching – PHP

Method

Add the following codes into the page, in order to prevent the page being cached

header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache'); 
header('Expires: 0');

Reference

http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Man…(OWASP-AT-007)

Prevention of Web Page Caching – JAVA

Method

Add the following codes into the page, in order to prevent the page being cached:

response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);

Reference

https://weblogs.java.net/blog/swchan2/archive/2013/08/29/when-httpsessio…