Monday, February 20, 2012

The important "expires" attribute of Set-Cookie

The Established Assumption

It has been widely known about the "expires" attribute of Set-Cookie HTTP Response header in the following way. 

Taken from OWASP Testing Guide:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
*expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded.  This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires.  Once the expiration date has exceeded, the browser will delete the cookie.  Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends. 

The Truth 

Although setting without "expires" attribute is acceptable at first sight because of the browser's automatic cookie clean-up management, the cookie will stay active until the user manually closes the whole browser window, i.e. the browser process. It is worthy to note that the cookie will not be deleted even if the user just closes the browser tab. In the meantime, the cookie may be cached by intermediate caching proxy servers. Relying on external factors for the application security often fails without notice. It is the best practice that the application should manually set the "expires" attribute to the session cookie. Alternatively, if the application does not set the attribute, the application does not seem to have a defined session expiration time-out, which is a failure in secure session management.


Useful References

http://blog.isc2.org/isc2_blog/2008/09/proxy-caches-ar.html
http://www.slideshare.net/TimBass/OWASPTAIPEIThailandTBass
   

Sunday, February 12, 2012

CursorJacking

Cursorjacking is a UI redressing technique to displace the cursor from the location the user perceives, originally in 2011 Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor.



https://www.aspectsecurity.com/news/application-security/cursor-jacking-attack-could-result-in-application-security-breaches-3/


Demo:

http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/

http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Saturday, February 11, 2012

Book Review: Innocent Code: A Security Wake-Up Call for Web Programmers

The book is suitable for educate beginner-to-intermediate web developers to help understanding security issues in developing applications.

The author explained the basics of threats involved in handling user inputs, and output handling. One of the best chapters is "Chapter 8 - Rules of Secure Coding" where he provides summarized facts about secure coding and false programmer assumptions that break application security.

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...