Web Application Security Mode:
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >
RE: [EXT] RE: Social Security Number in Hidden field 2014-11-24
Hambleton, Robert F (RHamble citgo com)
I completely agree. Even with just the last 4 digits, the application needs to have a role based security framework, the pages should be non-caching and SSL should be utilized. This would be for intranet and internet based applications, traffic can be sniffed on any network.

-----Original Mes

[ more ]  [ reply ]
RE: Social Security Number in Hidden field 2014-11-24
Jeffory Atkinson (jatkinson zelvin com)
In this day in age the SSN should never be a hidden variable. SSN should be treated nearly like a password. If an application needs the ssn for some sort of operations it should be masked and index on the back end. (Ie. if the application is providing the ssn number it should look something like xxx

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Robin Wood (robin digi ninja)
On 24 November 2014 at 08:03, Stephen de Vries
<stephen (at) continuumsecurity (dot) net [email concealed]> wrote:
>> The reason I was thinking about this is the thing I was reading was
>> suggesting to prevent session hijacking that concurrent logins should
>> not be allowed, 2FA stops actual logins but not hijacks.
>
>
> Sess

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Antti Virtanen (Antti Virtanen solita fi)
For a similar reason I have also implemented such a feature once. The

customer was fully aware that the information is not really safe, but they

wanted to prevent casual observer from seeing such information. In modern

office environments the observer doesnâ??t need to be in close proximity and

[ more ]  [ reply ]
Re: concurrent logins 2014-11-24
Stephen de Vries (stephen continuumsecurity net)
> The reason I was thinking about this is the thing I was reading was
> suggesting to prevent session hijacking that concurrent logins should
> not be allowed, 2FA stops actual logins but not hijacks.

Session hijacking is only possible after some other vulnerability in the site is exploited, e.g.

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-24
Lorne Kates (lkates gmail com)
I once coded an admin page like this. Admins had to have access to
SSNs (or SIN, since it was a Canadian company) of applicants. But
they didn't want the SSN on the screen all the time. So a button was
added that de-masked the SSN when clicked.

The company was fully aware that visually hiding th

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Abhay Rana (capt n3m0 gmail com)
No, putting it in a hidden field is same as showing it to a tech-savvy
admin. Unless admins are supposed to see the SSN (and are authorized
to), there is no reason for it to be in a hidden field.

If you really need it there (for some future requests in the form), it
might be better to instead put t

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
snipe (snipe snipe net)
I canâ??t think of a single legitimate reason why SS# should be in a hidden field.

As to whether itâ??s a security risk, that depends on whether the intranet app is accessible from the outside world, whether it runs over SSL, etc. Does the hidden field only show up for admins? Given what seems like

[ more ]  [ reply ]
Re: Social Security Number in Hidden field 2014-11-23
Robin Wood (robin digi ninja)
Is there any reason for the SSN being included in the page? Is it
used, i.e. can it be edited on the page?

If not it shouldn't be there by the sound of it.

Robin

On 23 November 2014 at 20:12, Jyotiranjan Acharya
<jyotiranjan121 (at) gmail (dot) com [email concealed]> wrote:
> Hello,
>
> There is an application which is prese

[ more ]  [ reply ]
Social Security Number in Hidden field 2014-11-23
Jyotiranjan Acharya (jyotiranjan121 gmail com)
Hello,

There is an application which is present in an intranet. When, the
Admin of the application loads the user information page, a field
called SSN appears. It shows ###-##-####. But the actual SSN remains
in a hidden field.

Do you think there should be a security issue with this ?

Regards
Jyo

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 14:27, Aaron Sanders <malmoose37 (at) gmail (dot) com [email concealed]> wrote:
> Just thinking out loud (still haven't had coffee yet) but what about second
> factor? Is that in scope for this question? I would think you can allow all
> the concurrent sessions a user wants as long as all of them were valida

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 15:42, Paul Robinson <paul (at) iconoplex.co (dot) uk [email concealed]> wrote:
> On 19 November 2014 10:30, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> What are peoples opinions on allowing concurrent logins to web apps? I
>> suppose it depends on what the app is used for - forum, admin suite
>> etc - but do

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 16:41, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> As a user, I love how gmail does it, and I would love to see that more.
>
> As a tester, I personally treat this one as more of a recommendation than a
> finding in most cases. I find this one is difficult to defend in findings
> revi

[ more ]  [ reply ]
Re: concurrent logins 2014-11-21
Robin Wood (robin digi ninja)
On 19 November 2014 18:22, Rogan Dawes <rogan (at) dawes.za (dot) net [email concealed]> wrote:
> You have been logged out, because someone has just logged in using your
> username and password. If this was you, please ignore this message.
>
> Otherwise, please change your password immediately, and contact our security
> depart

[ more ]  [ reply ]
AW: concurrent logins 2014-11-21
Wolfgang Abbas (wolfgang abbas de)
Good points so far!

Additionally, I think in some cases it makes sense to divide internal access to applications depending on the criticality of the application.

For example: I did a hardening of a cms-based extranet for a client of mine. You may log into the system with up to three devices (phone

[ more ]  [ reply ]
RE: concurrent logins 2014-11-21
Nigel Ball (Nigel K Ball dsl pipex com)
Hi,

Not really another option but something that could be added to the options already listed is automatically logging out inactive sessions. How long you wait (minutes / hours / days) before deciding a session is inactive and logging it out would depend on the type of application and security conc

[ more ]  [ reply ]
RE: concurrent logins 2014-11-19
Zaakiy Siddiqui (zaakiy nticon com au)
Hi all,

I'm in favour of Arvind's Option Number 2: i.e., in my way of thinking it: Display to the user the Geolocation of other source IPs that have logged in with the same account.

Need to ensure though that if your users are using 3rd party services to login (common scenario is they use a featur

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Seth Art (sethsec gmail com)
As a user, I love how gmail does it, and I would love to see that more.

As a tester, I personally treat this one as more of a recommendation
than a finding in most cases. I find this one is difficult to defend
in findings review meetings, especially given the challenges you
mention, and the pervas

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
James Wright (jamfwright gmail com)
Hi Robin,

As you said, it depends a lot on what the application is for. If it
is something like email, a user may wish to access it on a computer
and a smartphone, and stay logged into both.

If the web based system requires more security, or is limited by a
license (100 concurrent user limit) or

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Matt Konda (mkonda jemurai com)
Robin,

I think youâ??ve hit on the obvious options.

Whatâ??s the business purpose? You might be surprised what the business will and will not tolerate related to this ...

Although it doesnâ??t strictly itself prevent concurrent sessions, Iâ??ve seen people use a two factor system to discourage i

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Arvind (arvind doraiswamy gmail com)
I think the best way to do this is to take a quick step back and look
at the risks in each. That's because there's no 1 right answer here as
you already mentioned.

TLDR 1 - There's really only 2 options - you allow it or you dont.
Allowing means anyone can login (more ease of use) and disallowing i

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
That is my number 3 but giving a warning when logging them out. Could
still result in a DoS and you'd have to either write very good copy on
the warning or train users what to do when that happens as I reckon
most would just click OK and then log back in again.

Robin

On 19 November 2014 14:14, Rog

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
DavidMeans833 (at) air-watch (dot) com [email concealed] (DavidMeans833 air-watch com)
It depends upon what the security goals are. As an initial brain-storming
idea generator I consider the problem in terms of the security triad and
determine where and what is the confidential information I need to secure,
what are the integrity vectors, and are there any availability concerns?

I t

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
Hi
In theory I like the idea of reporting to the user that the account is
already in use but just think in practice it will be like the broken
SSL cert warning, people just click through it. Maybe not as much in
corporate environments but for home users you'd have to come up with
some very good copy

[ more ]  [ reply ]
RE: concurrent logins 2014-11-19
Martin O'Neal (martin oneal corsaire com)
For us, this is mostly about context. For all sites, some mechanism to report multiple logins back to the user is important for transparency, as is an audit trail entry.

But actually enforcing a single login is only really relevant to applications containing sensitive data.

Martin...

[ more ]  [ reply ]
Re: concurrent logins 2014-11-19
Irene Abezgauz (irene abezgauz gmail com)
Hi,

some thoughts, no particular order.

People use multiple devices, so disallowing concurrent logins is not an
option for most sites.

This obviously depends on functionality. Social communication sites do not
have the same needs as banking apps or nuclear-launch-management-interface
etc.

looki

[ more ]  [ reply ]
concurrent logins 2014-11-19
Robin Wood (robin digi ninja)
What are peoples opinions on allowing concurrent logins to web apps? I
suppose it depends on what the app is used for - forum, admin suite
etc - but do the protections from it add more problems that allowing
it?

Solutions I can see are:

1. Allow concurrent logins
2. Allow concurrent logins but rep

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Robin Wood (robin digi ninja)
On 13 November 2014 16:13, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> Robin,
>
> If you are lucky, it might be a false positive. I have seen cases
> where OPTIONS tells you that TRACE is supported, but if you try the
> TRACE method, you get a 501 Not Implemented. Worth a try.

You find that a lot with

[ more ]  [ reply ]
Re: RES: rating TRACE 2014-11-14
Robin Wood (robin digi ninja)
On 14 November 2014 11:38, Mike Antcliffe
<mikeantcliffe (at) logicallysecure (dot) com [email concealed]> wrote:
> I completely agree. And one of the biggest problems is that disparity
> between ratings on tests performed by different companies can cause trust
> issues.
>
> Until the entire industry is singing from the same hy

[ more ]  [ reply ]
Re: rating TRACE 2014-11-14
Simon Ward (simon westpoint ltd uk)
On 2014-11-13 16:13, Seth Art wrote:
> If you are lucky, it might be a false positive. I have seen cases
> where OPTIONS tells you that TRACE is supported, but if you try the
> TRACE method, you get a 501 Not Implemented. Worth a try.

For Apache HTTP Server, using the TraceEnable directive it sh

[ more ]  [ reply ]
(Page 1 of 333)  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus