Prevents eavesdropping and tampering attacks by providing end-to-end encryption. • Uses long-term asymmetric encryption to establish short-term symmetric encryption. • Standards change at the pace of technology. • Testing this is actually hard, so use... – https://www.ssllabs.com/ssltest/
treat the domain's cookies. • Secure – Restrict the cookie to TLS encrypted connections. • HttpOnly – Prevent JavaScript from accessing the cookie. • Never a good reason not to use these. • Minor configuration change or minimal code.
variable responses from requests using valid and invalid information. • Response variations include error messages, lockouts, query string parameters, spacing, timing, anything really. • Can exist anywhere the application formulates a response based on user-specific information. – Login, account recovery, registration, messaging, etc. • Be consistent. – Not always easy to do.
information belonging to other users by tampering with direct object references. • Not always an integer. – GUIDs, encoded DORs, etc. – Almost always indicates an IDOR issue. • One of the most common and easily exploitable flaws, yet impossible for scanners to find. • Check ownership of the referenced object.
higher privilege functionality by force browsing to obscured resources. • Access controls in the view must match the access controls on the controller. • Another common and easily exploitable flaw that is impossible for scanners to find. • Check the permission level of the requested resource.
tell a user their password. • Encoding != Encryption != Hashing • Key management for encryption is hard. – Access to the cipher usually means access to the key. • Not all hashing algorithms are created equal. – Fast hashing vs. Adaptive hashing • Design storage systems assuming eventual compromise.
• Cookie Flags - Developer tools. • User Enumeration - Check known goods vs. known bads. • Insecure Direct Object Reference - Change the DORs. • Missing Function Level Access Control - Force browse. • Password Security - Look for evidence.