Questions about security of Website

[Matthew]

Hello Bruce

Ernst & Young company did the security audit of my website. I have a final report. Therefore, I have a few questions:

1. About Referer (HTTP header field)

My web application is susceptible to Reflected Cross - Site Scripting attacks via HTTP header field - Referer.
It is possible to modify GET request and type in the Referer field some script. For example:

GET /HomeSite HTTP/1.1
Host: MyWebSite.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: 4a883"> <BODY ONLOAD=alert('test')>

In this case, it will display a message to the user.

Questions:
1. Is it possible to turn of Referer field?
2. Is it possible to validate Referer field?

2. About Secure flag in SessionID

By using Secure flag the SessionID can be transmitted only by using an encrypted HTTPS.
No Secure flag makes the SessionID can also be sent via unencrypted HTTP protocol, which could potentially allow an attacker to capture the SessionID.

Question:
1. How can I set the Secure flag for SessionID?

3. About HTTP X-FRAME-OPTIONS

My web application is susceptible to Clickjacking (UI Redress) attacks. This means that it is possible to cover one frame to another.

The implementation of the type of clickjacking attack could allow an attacker to persuade the user to perform certain actions in the application.
It should be noted that this concerns mainly the actions that can be performed by clicks on links.

Question:
1. How can I set HTTP X-FRAME-OPTIONS to SAMEORIGIN or DENY?


Improving these points will increase the security of my website.


Additional question:
1. Is it possible to hide version of NetTalk or PHP in HTTP header?

Regards,
Matthew

[Bruce]

Hi Matthew,

These sorts of audits get done from time to time, and they're definitely a good thing. Thanks for sharing the results, it's helpful to everyone to make it as tight as possible.

For my reference - which build of NetTalk are you using here?

1. I'll get this fixed.

2. As far as I was aware the cookies were set to ,SECURE when using HTTPS. I'll verify this.

3. I'll research the header and see if I can make it easy. Embedding custom headers is not hard, but obviously if this is a common header, which should be there, then I'll add it in as a default, or an option.

>> 1. Is it possible to hide version of NetTalk or PHP in HTTP header?

I'll check into this as well. By PHP I presume you are using the PHP support in NetTalk, and that's adding a version number to the header?

Cheers
Bruce

[Bruce]

Hi Matthew,

All the items below apply to build 7.32 and later.

some feedback:
a) I've added the SECURE tag to session cookies by default. This can be turned off for those folk doing secure/non-secure stuff and need the same session ID, but it's not recommended, so the default is just on.

b) you can change the Netalk server version header if you like - in WebHandler procedure, CreateHeader method, before parent call, set p_HeaderDetails.Server to anything you like (including blank).

eg
p_HeaderDetails.Server = 'whatever'
or
p_HeaderDetails.Server = ''

In the same place the p_HeaderDetails.php string contains the headers returned by the PHP engine - you can modify that if you like. I'm not sure you can just set it to blank, because there may be multiple headers used there. But have a look to see what is there, and modify it accordingly.

c) I've added a x-frame-options header to the Security Tab in the WebServer procedure. The default is 'sameorigin'. Other possible options are blank, 'deny' or 'allow-from'. The only people who will need to change the default are those who are explicitly expecting their site to be included in a FRAME on another site.

d) regarding the Referer header field;
perhaps you can send me the full report? I've inspected the code, but as far as I can see the referer field is not used, at least not in a way where it is reflected back to the web page. (*) - Is there more information on where exactly they get that effect in your app? - Perhaps it is used, and returned, by the PHP engine?

(*) - There is one place it is sent back to the web page, but that's a special case, and would not be triggered by the text you had in your report above. I'm not sure if it's this case they have isolated though.