Set the HttpOnly and Secure attributes to cookies. Set a short time for cookies to expire, or expire them when the browser is closed. Implement several controls related to cookies that are specifically oriented to prevent “A2 Broken Authentication and Session Management,” such as: Verify all application inputs in order to prevent XSS attacks (“A3 Cross-Site Scripting”).
Non-encrypted data is easily recovered by means of sniffing techniques.Ī summary of Web applications security actions/arrangements, taking into account (specifically development and testing guides), can be done by different groups of people: Some sites do not use SSL at all or use SSL only for exchanging user/password information, while all other data exchange is transferred as plain text. “A6 Sensitive Data Exposure,” which also allows stealing session cookies. Enabling the HTTP Trace method could be considered as part of another OWASP top ten vulnerability: “A5 Security Misconfiguration.” The XST attack is possible only when the “harmless” HTTP Trace method is available. Even if the HttpOnly attribute is used for cookies, another attack, XST (Cross-Site Tracing), which can be considered as an XSS variant, allows stealing of cookies. “A3 Cross-Site Scripting,” or XSS, which allows stealing session cookies. The stolen cookie can be used to steal the complete session, which, in turn, allows a third party/user to act as the real/original user. “A2 Broken Authentication and Session Management,” which is possible once a session cookie has been stolen or by session fixation attacks. Several Web application security vulnerabilities included in OWASP Top Ten Project are directly related to cookies, such as: Also, OWASP explicitly identifies commercial initiatives working on Web security. OWASP has been working to enhance Web applications security in the current scenario of HTTP usage (including cookies). Our approach does not include changing the protocol it involves operating differently in order to avoid cookies while maintaining backward compatibility (i.e., no Web applications recoding/fixing). Several Web session attacks are shown in, including those using SSL (Secure Sockets Layer), leading to the conclusion that (a) part of the problem is that HTTP is a stateless protocol, and (b) a solution would be to replace HTTP for something more suitable. Besides the problems that cookies represent for user privacy, the security of Web applications can be affected by various problems, allowing for unauthorized access or identity fraud through manipulation or stolen cookies. Since the proposal for and creation of cookies, there have been several warnings published about a large loss of privacy, even from one of the authors of the RFC, which defined cookies as part of the HTTP headers for session management. The use of cookies and HTTP headers like Referer leads to situations where a third party is able to set up user profiles and determine, for a large set of users, which sites are visited by each of them, at what time of day, etc. The issue of user privacy was a topic of debate since the initial definition of the cookies mechanism. Tinetti, in Emerging Trends in ICT Security, 2014 Related workĪs explained above, the current mechanism for Web session management implies exchanging cookie/s between the client and the server of a Web application.