Autocomplete Enabled

If in the Form submission, autocomplete is enabled then this might contain sensitive information like "username" or other information.
If any user save, data entered in these fields, then this will be cached by the browser.then attacker can access these informations.
This is especially important, if application is used in public places computers, such as cyber-cafes, airport terminals etc.

by adding the attribute autocomplete="off" to the Form tag or in the individual "input" fields.

Active Mixed Content over HTTPS

This Error occurs when the content is loaded over HTTP within an HTTPS page.
If the HTTPS page includes the content like scripts or stylesheets retrieved through regular, cleartext HTTP, then the connection is only partially encrypted.

There are few technologies to deal with this type of mixed content issues:

1. HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even if user does mistakes means try to attemp to access web site on port 80 or any coding errors.

2. Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web site.

Set htacess Rule as -  

Header set Content-Security-Policy "'self' domain"

HTTP Strict Transport Security (HSTS) Errors and Warnings

The HSTS Errors and Warnings will allow attackers to bypass HSTS. and will allow them to read, modify communication of website.
to fix this error you should consider by adding the domain to the HSTS preload list.
This will ensure that browsers will automatically connect your website by using HTTPS and will prevent users from visiting your website using HTTP.

Set htacess Rule as -  

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

TRACE/TRACK Method Detected

This issues occurs when the TRACE/TRACK method is allowed. It is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK method.

you should disable this method in all production systems.Even though the application is not vulnerable to cross-site scripting, a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.

Set htacess Rule as -  

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Insecure Frame (External)

Insecure Frame occurs when an external iframe is insecured or misconfigured.

IFrame sandboxing provides a set of additional restrictions for the content within a frame and also restrict its potentially malicious code from causing harm to the webpage.

For Example -

by apply sandbox in inline frame <iframe sandbox src="url"></iframe>

Phishing by Navigating Browser Tabs

Phishing by Navigating Browser Tabs occurs when Open windows with normal hrefs with the tag target="_blank" can modify window.opener.location and replace the parent webpage with something else, even on a different origin.
it allows phishing attacks that silently replace the parent tab. If the links lack rel="noopener noreferrer" attribute, a third party site can change the URL of the source tab using window.opener.location.assign and trick the users into thinking that they’re still in a trusted page and lead them to enter their sensitive data on the malicious website.

You should add rel=noopener to the links to prevent pages from abusing window.opener. This ensures that the page cannot access the window.opener property in Chrome and Opera browsers.

For Example -

<a href="..." target="_blank" rel="noopener noreferrer">...</a>

Passive Mixed Content over HTTPS

Passive Mixed Content over HTTPS occurs when a mixed content loaded over HTTP within an HTTPS page.If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted.

There are two technologies that helps the mixed content issues -


1. Using HTTP Strict Transport Security (HSTS), that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation mistake.

Set htacess Rule as -  

Header set Strict-Transport-Security "max-age=10886400; includeSubDomains;"


2. Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites.

Set htacess Rule as -  

Header set Content-Security-Policy "'self' domain.com"

Cookie Not Marked as Secure

when session cookie not marked as secure, and transmitted over HTTPS. This means the cookie could be stolen by attacker who can successfully intercept the traffic.
This cookie will be transmitted over a HTTP connection, therefore an attacker might intercept it and hijack the session.
If the attacker can carry out a attack, the he can force the user to make an HTTP request to your website in order to steal the cookie.

So you should mark all cookies used within the application as secure.

htaccess rule -

Header set Set-Cookie Secure

Similary, rule for web.config  - 

<rule name="Add Secure">
 <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
 <conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>

Cross Site Request Forgery

Cross Site Request Forgery or CSRF is a very common vulnerability. It forces the user to execute unwanted actions on a web application.
An attacker can mount any of the actions that can be done by the logged in user such as modifying content, deleting data. All the actions that are available to the user can be used by the attacker.

To avoid this, you can send additional information in each HTTP request that can be used to determine whether the request came from an authorized source. If a request is missing a validation token or the token does not match the expected value, the server should reject the request.

If you are posting Form in ajax request, custom HTTP headers can be used to prevent CSRF.
For JQuery, if you want to add a custom header to -

a. individual request
$.ajax({
    url: 'xyz/',
    headers: { 'my-custom-header': 'somevalue' }
});

b. every request
$.ajaxSetup({
    headers: { 'my-custom-header': 'somevalue' }
});

Cross Site Scripting


Cross-site Scripting, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application.This allows hijacking the current session of the user or changing the look of the page by changing the HTML.This happens because the input entered by a user has been interpreted as HTML/JavaScript/VBScript by the browser.

Cross-site scripting targets the users of the application instead of the server.There are many different attacks that can Hijack user's active session.Mounting phishing attacks.Intercepting data and performing man-in-the-middle attacks.

To avoid this, output should be encoded according to the output location and context. You should implement a strong Content Security Policy (CSP) as a defense-in-depth measure if an XSS vulnerability is mistakenly introduced.
CSP will act as a safeguard that can prevent an attacker from successfully exploiting Cross-site Scripting vulnerabilities.

SQL Injection


SQL injection is a type of web application hacking technique by which an attacker that might access your database. By successful access to the database the attacker might read the stored data as well as insert the corrupt data. Also the attacker able to update , alter or delete the data in database.
SQL injection generally occurs when in any form submission ask for input like user name etc, if the user insert an SQL statement in that field that will run on your database.

If there is no prevention step are taken to enter "wrong" input from user, then the user be able to enter the input like -

XYZ OR 1=1

The above SQL is valid and will return ALL details from the table, since OR 1=1 is always TRUE.

You can use prepared statements,parameterized queries to solve this issue.These are SQL statements that are sent to and parsed by the database server separately from any parameters.
This way it is impossible for an attacker to inject malicious SQL.

Web Authentication


Website authentication and poor session management generates several security issues.using session is to maintain the user identity. If user credentials and session data are not protected every time, then attacker can break these security and will get the user details.

Here are the possible loop holes where an attacker can attack on website.

1. If the password is not strong as it should be. i.e. password must contain capital letter, small letter, numbers, special character combination.

2. The password should be stored in encrypted format.

3. The session id name should not be common type. It should be typical as to guess.

4. There is possibility URL might contain session id. So this type of practice should be avoided.

5. Session timeout to be implemented to prevent the session hijacking.

What are the Website Vulnerability

The website vulnerability is the inability, weakness, loophole or misconfiguration by which any attacker can access the website code, web server, data etc.By getting these access, attacker can inject spam data, content into the website.
There are lots of automated scripts, scanners, tools by which weak websites are exploited.

So, we should check the our website vulnerability timely, by having the same website can be protect from attackers.

Few Common Web Security Vulnerabilities are -

1. Authentication

2. SQL injection

3. Cross Site Scripting

4. Cross Site Request Forgery