This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Cornucopia - Ecommerce Website - SM 9"

From OWASP
Jump to: navigation, search
(Created page with "{{DISPLAYTITLE:<span style="padding:2px 5px 0px 5px;color:white;background:#98c477;">Cornucopia - Ecommerce Website - SM 9</span>}} File:Cornucopia_-_Ecommerce_Website_SM_9....")
 
 
Line 67: Line 67:
 
</tr>
 
</tr>
 
</table>
 
</table>
 
 
 
  
  
 
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span>  [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_10|Next Card »]] </div>
 
<div style="padding:5px;background:LightGray;color:White;font-weight:bold;">[[Cornucopia_-_Ecommerce_Website_-_SM_8|« Previous Card]] <span style="padding-left:10px;padding-right:10px;">|</span>  [[Cornucopia_-_Ecommerce_Website_-_SM|Session management]] <span style="padding-left:10px;padding-right:10px;">|</span> [[Cornucopia_-_Ecommerce_Website_-_SM_10|Next Card »]] </div>

Latest revision as of 16:21, 21 January 2016

Cornucopia - Ecommerce Website SM 9.png

Suit: Session management

Card/Value: 9

Description:

Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible unnecessarily by code which the attacker can influence or alter.

Technical Note:

Protect session identifiers as if they are account credentials. For HTTP cookies:

  • Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value.
  • Set the 'secure' attribute for cookies transmitted over an TLS connection.
  • Consider making the whole ecommerce website 'SSL-only', adding the HTTP Strict Transport Security (HSTS) header and adding the domain to web browser pre-load lists.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
69 3.6 SE4 31 28
75 3.14 SE5 60
76 3.15 SE6
119 8.10
138 10.3


« Previous Card | Session management | Next Card »