Ovely permissive CORS

Origin header is sent by the browser in a CORS request and indicates that origin request. It may be spoofed outside the browser, so need to check that application-level protocols for protect sensitive data.

Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response.

Insecure configurations as for example using '*' wildcard as value of the Access-Control-Allow-Origin header means all domains are allowed. Other insecure example is when the server returns back the Origin header without any additional checks, what can lead to access of sensitive data. This configuration is very insecure, and is not acceptable, except in case of a public API that is intended to be accessible by everyone.

add_header Access-Control-Allow-Origin $cors_header;

add_header Access-Control-Allow-Credentials true;

Query Parameter SSL

URL contain a sensitive query parameter and stored in the browser history. Web application may be configured log the URL of all request. So, result is sensitive parameter is saved in the log.

Fix:

The solution to this problem requires two steps:

· If necessary then pass sensitive data. Once a user is authenticated with a session ID limited lifetime.

· Use non-persistent, session level cookies to hold session IDs and other private data.

The advantage of using session level cookies to carry this information:

· They are not stored in the browsers history or on the disk

· They are usually not stored in server logs

· They are not passed to embedded resources such as images or javascript libraries

. They only apply to the domain and path for which they were issued

Insecure HTTP Methods Enabled

Attacker sends a request of type "OPTIONS" to the Web server of your application to determine what HTTP methods are supported by the server. Allow: HEAD, GET, PUT, POST, DELETE, TRACE, OPTIONS

The header Allow includes a list of supported HTTP methods.

Application is insecure if Allow header contains methods such as DELETE or PUT.

Web Application Source Code Disclosure Pattern Found

It is possible to retrieve the source code from server side script and also may possible to expose the business logic or sensitive information such as username and password.

Possible Causes

· Patches for 3rd. party products were not installed

· Temporary files were left in production environment

· Debugging information was left by the programmer in web pages

Application source code should not be accessible to web users, as it may contain sensitive application information and back-end logic.

It can give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible.

Recommendation

There are many ways to revealing application source code. To ensure that your application does not allow web users access to source code. [1] Check that all system patches related to source code disclosure are installed. [2] Check that no application source code is left in HTML comments. [3] Check that all source code files are removed from the production environment

Security terms Salt, Nonce, Rainbow

Salt

A new salt (form of encryption) is randomly generated for each password. Setting a salt and a password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.

Nonce

Nonce is an arbitrary number used only once in a cryptographic communication. It is a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.

Rainbow

A rainbow table is a precomputed table. This table use for reversing cryptographic hash function, usually for cracking password hashes. Tables using for recover a plaintext password up to a certain length consisting of a limited set of characters. It take less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash.