Setting HttpOnly in Cookies

Developers Programming
#1

Hi Team,

Am seeking help here after breaking my head at SC support…

Application deployed by me is subjected to an IT Security Audit by my customer and they have found loads of issues. Highlighting couple of them here so that the forum can be appraised and can suggest if they have managed to resolve this…

  1. Need to set HttpOnly attribute on the cookies. Since I am using SC default login module I am not aware of the location where this needs to be changed without disturbing the ‘Generated Code’

  2. Several pages are reported to be vulnerable to XSS (js injection attack). I am suggested by the support team to filter inputs however, is there any common event/location where this could be securely implemented… any references?. I do not want to do direct page manipulation and would prefer using SC existing macros/event etc.

  3. There are several unwanted text file and pages like nm_blank_page.htm generated and am suggested by support not to delete them. Does anyone know purpose of these pages and their necessity? No client would not allow text files and blank htmls hanging around in Production environment… any pointers?

Appreciate your time to read and help…

Note: I am a big fan of SC and using it over years for personal coding, however, a big disappointment now on Paid SC support !

Regards,
Chetan

Reflected Cross-Site Scripting (XSS) Vulnerabilities on Scriptcase apps
#2

Hi
The cookies can be configured on web server, in case of Apache here a link: https://geekflare.com/httponly-secure-cookie-apache/

For limit html or js code input in your forms you have to disable in each field the options: Show HTML content, Save HTML tags and Text input in Javascript
Don’t forget use sc_sql_injection in any sql query to your database, and in case of ajax lookup function where you can’t use this macro, you have to implement this in a database function. More information in this post: Serious problem of scriptcase security (Urgent)

Regarding the third question I think they are no neccesary, only is a way to show a blank page when there is no content in a folder whether someone try to access to the url. Anycase you can deny a user who tries to list the content of a folder through web execute/search permissions.

kind regards

#3

Thank you. This definitely helps… will check the suggested options.

Best Regards,
Chetan

#4

Thanks for the suggestions.

For the benefit of others, attached screenshot has all the settings that I have tried implementing to enhance code security by using SC available options.

Hope would be useful to others

sc-sec-exp-settings-implemented
sc-sec-exp-settings-implemented838×433 9.83 KB

1 Like