This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Cornucopia - Ecommerce Website - SM 9

From OWASP
Jump to: navigation, search
Cornucopia - Ecommerce Website SM 9.png

Suit: Session management

Card/Value: 9

Description:

Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible unnecessarily by code which the attacker can influence or alter.

Technical Note:

Protect session identifiers as if they are account credentials. For HTTP cookies:

  • Set cookies with the HttpOnly attribute, unless you specifically require client-side scripts within your application to read or set a cookie's value.
  • Set the 'secure' attribute for cookies transmitted over an TLS connection.
  • Consider making the whole ecommerce website 'SSL-only', adding the HTTP Strict Transport Security (HSTS) header and adding the domain to web browser pre-load lists.

References:

OWASP SCP OWASP ASVS OWASP AppSensor CAPEC SAFECODE
69 3.6 SE4 31 28
75 3.14 SE5 60
76 3.15 SE6
119 8.10
138 10.3


« Previous Card | Session management | Next Card »