Resolving The A5-Security Misconfiguration

While developing an internet based application, I came across an issue in a security assessment report, which is mentioned as today’s topic of mine.

In order to elaborate on the problem, let's take an example of an application which uses cookies-based authentication. In order to see the actual problem, you need to add Web Developer extension in Chrome or Firefox web browser.

So, you create an ASP.NET MVC or ASP.NET Web Forms application and use cookies-based authentication in your web application. Sending a cookie over an un-encrypted channel might allow an attacker to eavesdrop and intercept the cookie which is quite dangerous. This attacks comes under A5-Security Misconfiguration.

Example - 



Once you have added the Web Developer extension and run the web application, go to Web Developer settings.



When you click on the Setting button, it will pop up with the list of options that you may be interested in, as shown below. Here I am focused on cookies information.



Go to view cookie information and you will see the following.


The above figure demonstrates that we have two cookies that are being used uthntil is page.

The second cookie is a session.

I hope you have figured out the problem. So, as our application is to be available online, it’s prone to several attacks, and as a developer, we primarily think about turning paper requirement into real life apps. I am here mentioning only a specific best practice deviation which needs to be followed, in order to resolve the attack from the hacker.

So, what is this Secure attribute all about?

The Secure attribute tells the browser to only use this cookie via secure/encrypted connections. Web servers should also set this cookie via secure channels and, therefore, prevent anyone from intercepting the cookie.

Note: It is recommended that the ‘Secure’ attribute is set to True, for ensuring that the SSL connection is needed to access the cookie.

Solution or Best Practice

Add