Web Access Control

Cookie Attributes

Always store session information in cookies. Never pass session information as a query string parameter.

Domain attribute

The domain in which the cookie is valid.

Expires attribute

Determine when the cookie should be deleted.

expires=0 unless it’s a persistent cookie

HTTPOnly attribute

Stop JavaScript from reading the cookie values

HTTPOnly=true

Path attribute

Set pages and subfolders in which the cookie is available.

SameSite attribute

The SameSite attribute controls how cookies are sent for cross-domain requests. This attribute may have three values: ‘Lax’, ‘Strict’, or ‘None’. If the ‘None’ value is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens).

Secure attribute

Avoid transmission over an insecure channel (e.g. HTTP)

Secure=true

Indirect Object Reference (IDOR)

  1. Identify id numbers in URL (or scripts)
  2. Manually change them or use Burp to automatically increment
  3. View other user’s data

Path Traversal

What is Path Traversal?

An attacker constructs a pathname that is intended to access a file or directory that is located underneath a root web site directory. One of the most common path traversal techniques is the ../ sequence, which almost all operating systems interpret it as the parent directory of the current location. This is referred to as relative path traversal.

Absolute path traversal is different in that the pathnames such as /etc/apache2 start at the root directory and include all the subdirectories needed to get to the target.

Sometime the injection of a null byte NUL may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the software may add .png to any pathname, thus limiting the attacker to image files, but a null injection may bypass this restriction.

Recommendations

  • Don’t accept user input when using system calls if you don’t need to.
  • If you must allow user input, make sure you sanitize it and make sure they aren’t allow to supply all parts of the path.
  • Use indexes instead of parts of the file names when templating or using language files.
  • Use chroot jails (linux) and code access policies to deny access or modification of files.

Server Side Request Forgery (SSRF)

  • Restrict requests made BY the server, only to destinations that it needs.
  • Verify requested file type matches what is expected.
  • Display a generic error to the use, but log details.
  • Restrict requests to approved URL schemas

Cyber-Outpost-288 > Web Application Defense