Entries by AppSec Labs

Directory Listing

Description Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory. Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all. For […]

Setting Cookie Secure Flag – Apache

Method Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers. LoadModule headers_module modules/mod_headers.so After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf Header edit Set-Cookie ^(.*)$ $1;Secure Reference https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – PHP

Method #1 By using ini_set function Add the following code on the page Method #2 By using session_set_cookie_params function Add the following code on the page: Method #3 By using setcookie function Add the following code when creating cookie: References https://www.owasp.org/index.php/SecureFlag http://php.net/manual/en/function.setcookie.php http://php.net/manual/en/function.session-set-cookie-params.php

Setting Cookie Secure Flag – Java

Method #1 Create secure cookie by calling setSecure method, which allows cookie to be secure Method #2 Add the following lines to web.xml file of the project to make the cookie secure. Reference https://www.owasp.org/index.php/SecureFlag

Cookie Secure Flag

Description When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies. The secure flag is an option that can be set by the application server when sending a new cookie to the […]

Cookie – HttpOnly Flag

Description When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies. If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if […]

Setting the HttpOnly Flag – PHP

PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006). For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter: Method#1 By using ini_set function before using setcookie function. Add the following code on the page: Method#2 By using session_set_cookie_params function before using setcookie function Add the following […]