Tag Archive: http


Strict-Transport-Security

This HTTP header will do:

Require all traffic to go through an SSL tunnel
Refuse connections with certificate isssues

By setting this http header you can force your website to use an SSL connection for all traffic and prevent users from clicking through a certificate issue on your website.

This header can help prevent man in the middle attacks, an attacker can remove the SSL tunnel (https to http) or use a custom signed certificate (most users would click through it anyway). By setting this http header your browser wouldn’t allow this connection because it requires SSL or because of the certificate issue. The attacker could just remove this header.

This header has a parameter, max-age, when set will instruct the browser to remember the settings for this header for x amount of seconds. If a user visits a website and the browser remembers the settings then they are not vulnerable to this attack.

Advertisements

HTTP Framesniffing

Framesniffing is a method an attacker can use to gather information from a website that you are visiting. The attack uses html anchors to identify pieces of information on the web page.
An anchor is a way for html to identify certain pieces of html code to allow the user to jump to that section of the page. For example if you wanted the user to jump to the login section of a webpage

http://www.someurl.com/login#Login

The #Login is the anchor of the page, it is represented with the the ‘id’ attribute, so in our example it would be

… Modern websites have several anchors embedded within them.

An attacker could trick a user into loading a page he controls and using an IFRAME load another page using the anchor, and if the page ‘jumps’ the attacker has found what he is looking for.
By using a websites internal search functions and anchors an attacker can search for specific pieces of information. Most search functions allow the user to use wildcards, such as ‘*’.

http://www.someurl.com/search.aspx?q=w*#NoResults

If the above page ‘jumps’ the attacker knows that no results have been found, but if it doesn’t jump then they have found what they are looking for. They can use this method to narrow down what they are looking for.

Framesniffing can be disabled if the website sends the “X-Frame-Options” header. The possible values for X-Frame-Options are

Deny
SAMEORIGIN

Setting it to deny will deny loading the page in an IFRAME and SAMEORIGIN will only allow loading the page from the same domain.

. As the time of this writing, I was not able to find a method to prevent this via the web browser (except firefox has fixed this issue)