zoukankan      html  css  js  c++  java
  • web.config中的HttpCookie.HttpOnly属性

    Abstract:

    The program does not set the HttpCookie.HttpOnly property to true.

    Explanation:

    The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

    This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

    identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

    attacker in order to masquerade as the user or obtain sensitive information.

    Example 1: Vulnerable configuration:

    <configuration>

    <system.web>

    <httpCookies httpOnlyCookies="false">

    Recommendations:

    Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

    scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

    such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

    user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

    script.

    Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

    code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

    protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

    XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

    page that accepts input from a user and echoes that input back is potentially vulnerable.

    <configuration>

    <system.web>

    <httpCookies httpOnlyCookies="true">

    Tips:

    1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

    HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

    for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

    2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

    cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

    as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

    with a legitimate user's identity.

  • 相关阅读:
    数据库实验2
    jsp 配置MySQL服务器 以及数据的插入和读取
    利用JSP编程技术实现一个简单的购物车程序
    【servlet3.0新特性】Annotation注解配置
    用Servlet实现聊天室设计
    PHP fopen和fwrite函数实现创建html页面
    Django框架 之 view视图
    Django框架 之 URLconf
    Django框架 之 模板语言
    Django框架 之 ORM 常用字段和参数
  • 原文地址:https://www.cnblogs.com/time-is-life/p/6202611.html
Copyright © 2011-2022 走看看