Earlier this year I was doing my usual trick of browsing websites and writing about things that were readily observable with regards to some rather ordinary security practices. When I say “readily observable” I’m talking about things such as
cookies not flagged as HttpOnly or
SSL login forms embedded into HTTP pages. This stuff is just
so easy to find because it’s staring you right in the face when you load up a website; yet somehow these problems remain
extremely common.
The root cause, of course, is that we don’t know what we don’t know. Many developers are not aware that a cookie not flagged as HttpOnly can be accessed via some sneaky JavaScript injected into the page via an XSS flaw. They also haven’t thought through the process of how an HTTP page may be manipulated by a man in the middle such that it serves a
rogue login form and the user is none the wiser. And how many people have
really thought about the execution of a clickjacking attack? And for that matter, how many people realise that you can mitigate it with a single response header?
