Posts

Showing posts from February, 2012

The important "expires" attribute of Set-Cookie

The Established Assumption
It has been widely known about the "expires" attribute of Set-Cookie HTTP Response header in the following way. 
Taken from OWASP Testing Guide:
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
*expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded.  This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires.  Once the expiration date has exceeded, the browser will delete the cookie.  Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends. 
The Truth 

Although setting without "expires" attribute is acceptable at first sight because of the browser's automatic cookie clean-up management, the cookie will stay active until the user manually closes the whole browser window, i.e. the browser pr…

CursorJacking

Cursorjacking is a UI redressing technique to displace the cursor from the location the user perceives, originally in 2011 Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor.


http://blog.kotowicz.net/2012/01/cursorjacking-again.html
https://www.aspectsecurity.com/news/application-security/cursor-jacking-attack-could-result-in-application-security-breaches-3/


Demo:

http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/

http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Book Review: Innocent Code: A Security Wake-Up Call for Web Programmers

The book is suitable for educate beginner-to-intermediate web developers to help understanding security issues in developing applications.

The author explained the basics of threats involved in handling user inputs, and output handling. One of the best chapters is "Chapter 8 - Rules of Secure Coding" where he provides summarized facts about secure coding and false programmer assumptions that break application security.