parsonsisconsulting

Parsons Software Security Consulting Blog

Posts Tagged ‘penetration testing

Cross Site Scripting and how to remediate

leave a comment »

When input isn’t properly validated and encoded Cross Site Scripting or XSS is possible.   This is when an attacker is able to execute a dynamic script.   To prove that a page is vulnerable to XSS I usually just do an alert pop up stating “XSS found by Matt”.   A black hat hacker can use this vulnerability to steal the user’s credentials or mounting phishing attacks or man in the middle attacks.   To remediate this vulnerability all input needs a white list validation scheme accepting only known good input and encode all output to prevent the script from running.  

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Image

Written by mparsons1980

June 25, 2013 at 2:27 pm

Why it is important to set the secure attribute on session cookies?

leave a comment »

When I do application security assessments I often see the secure attribute not set on session cookies over HTTPS.  It is fine to have non sensitive session cookies like language setting not set to secure but something as sensitive as the session cookie need to be set to secure so an attacker does not steal the session or the victim’s cookies and log on as the victim.   

Image

 

Image

Written by mparsons1980

June 25, 2013 at 11:57 am