Chong Hwi
Joined
Activity
Posted in Overly Detailed Internal Error Messages
I need help please
Posted in Incorrect Content-Type Response Headers
I need help please
Posted in No Client-side Encryption of Passwords
anyone can help?
Posted in Unsafe-inline
Anyone?
Posted in Unsafe-inline
My apps need the following settings to get working:
script-src 'self' 'unsafe-inline'
style-src 'self' 'unsafe-inline'
unfortunately this doesn't pass the pen-test and they requested to remove the "unsafe-inline"
Question: Is there any method to get this void?
Posted in No Client-side Encryption of Passwords
There are no client-side encryption of passwords when they are sent to the web server. In mitigation, the passwords are already protected by SSL/TLS during transit. An example of the POST request is as follows:
user[email]=user@gorails.com&user[password]=****************
*Password has been masked for confidentiality purposes.
Posted in Incorrect Content-Type Response Headers
Incorrect Content-Type response headers were found to be in use:
Content-Type: application/octet-stream is being used for PDF and Zip downloads.
How do I config the PDF and ZIP files to
Content-Type: application/pdf
Content-Type: application/zip
Posted in Overly Detailed Internal Error Messages
Errors which previously caused stack traces to be shown now only show the following generic error:
"The page you were looking for doesn't exist." However, the server responded with the response code "500 Internal Server Error". This is dangerous as an attacker can deduce the kind of input that causes the server to behave erratically.
I need help for the configuration to keep the generic error, but respond with response code 2XX or 3XX to close this Finding.