Posts

Password Autocomplete vulnerability and a workaround solution

Until recently, it was trivial for developers to disable the “save you password” feature implemented by all major browsers. However, in the last years, browser vendors have begun to actively discourage and prevent applications from disabling this feature. Their case is that the safest practice for users is to use a password manager, instead of having their passwords lying around on digital or physical support, where they can be exposed or stolen. Since it’s a client-side issue, they claim that the option should be given to users (and not to the developers) to disable this feature by configuring the browser itself.

Although this may be partly true, it does not take into account highly sensitive applications, which might be used on a shared computer, and which do not want to rely on the browser being properly configured (with autocomplete disabled). If this is your case, you should keep on reading.

It is now a real challenge to find a workaround that will work across all major browsers. So we came up with the following trick which detects the user’s browser version and acts accordingly:

Read more

Preventing Directory Listing – Apache

Using httpd.conf or .htaccess

Add the following lines in httpd.conf or .htaccess

Options -Indexes
IndexIgnore *

Reference

http://wiki.apache.org/httpd/DirectoryListings

Preventing Directory Listing – ASP.NET

Method

Add the following lines to web.config:

<configuration>
  <location path=".">
    <system.webServer>
      <directoryBrowse enabled="false" />
    </system.webServer>
  </location>
</configuration>

References

http://msdn.microsoft.com/en-us/library/ff649337.aspx
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-br…

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more

Setting Cookie Secure Flag – Apache

Method

Add the following line into section 1(Global Environment) of httpd.conf, this line will load the headers_module module, which provides directives to control and modify HTTP request and response headers.

LoadModule headers_module modules/mod_headers.so

After loading the headers_module module, add the following line into section 3(Main Server Config) of httpd.conf

Header edit Set-Cookie ^(.*)$ $1;Secure

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – PHP

Method #1 By using ini_set function

Add the following code on the page

ini_set("session.cookie_secure", 1);

Method #2 By using session_set_cookie_params function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, TRUE, NULL);

Method #3 By using setcookie function

Add the following code when creating cookie:

setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

References

https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

Setting Cookie Secure Flag – ASP.NET

Method #1 Setting Secure Property True

Create Cookie by setting secure property true:

HttpCookie cookie = new HttpCookie('name');
cookie.Secure = True;
cookie.Value = 'Value';

Method#2 Using web.config

Add the following codes to web.config

<system.web>
<httpCookies requireSSL="true" />
</system.web>

Reference

https://www.owasp.org/index.php/SecureFlag

Setting Cookie Secure Flag – Java

Method #1

Create secure cookie by calling setSecure method, which allows cookie to be secure

Cookie newCookie = new Cookie("name","value");
newCookie.setSecure(true);

Method #2

Add the following lines to web.xml file of the project to make the cookie secure.

<session-config>
 <cookie-config>
 <secure>true</secure>
 </cookie-config>
</session-config>

Reference

https://www.owasp.org/index.php/SecureFlag

Setting the HttpOnly Flag – PHP

PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).

For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter:

session.cookie_httponly = True

Method#1 By using ini_set function before using setcookie function.

Add the following code on the page:

ini_set("session.cookie_httponly", 1);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

Method#2 By using session_set_cookie_params function before using setcookie function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);

Method#3 By using setcookie function

Add the following code while creating cookie (not necessarily a session cookie):

setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

References

http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

http://php.net/manual/en/session.configuration.php#ini.session.cookie-ht…

Setting the HttpOnly Flag – ASP.NET

Method #1

Add the following configuration to your web.config:

<system.web>
    <httpCookies httpOnlyCookies="true"  />
</system.web>

Method #2

In the code, use the System.Web.HttpCookie.HttpOnly property:

// Create an HttpOnly cookie.
HttpCookie theHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
theHttpOnlyCookie.HttpOnly = true;
theHttpOnlyCookie.Name = "TheHttpOnlyCookie";
Response.AppendCookie(theHttpOnlyCookie);
// Show the name of the HttpOnly cookie.
Response.Write(theHttpOnlyCookie.Name);

References

http://msdn.microsoft.com/en-us/library/ms533046.aspx