ABSTRACT

The application configuration should ensure that SSL is used for all access controlled pages.

EXPLANATION

If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL.

There are three common ways for SSL to be bypassed:

- A user manually enters URL and types "HTTP" rather than "HTTPS".

- Attackers intentionally send a user to an insecure URL.

- A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[5] Standards Mapping - FIPS200 - (FISMA) CM, SC

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 5

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[8] A. Taylor et al. J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) Osborne/McGraw-Hill

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4