Some key points to handle the Vulnerability and Transport layer protection.
“Transport Layer Protection: Insecure Transmission”
Vulnerability Summary: - As per standard the user type credential should not be exposed through the “get” method. A username was found in the query string of a GET request or Set-Cookie header.
Update and Action:- This is basically a case where in case item/template not found, then the URL comes like below
Proposed Solution: - In case if item not found will redirect to the other specific URL, this section required some more investigation.
“Cross-Frame Scripting”
Vulnerability Summary: - A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page.
Solution: - Fix by including an X-Frame-Options header set to 'SAMEORGIN'. There are two options available either we can change in the web. Config or in the IIS settings.
Change in the web. config: - This is by default, setting and it’s available in the b2b web.config section.
Required change in the IIS: - Below are the steps for the IIS settings
- Open Internet Information Services (IIS) Manager.
- In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
- Double-click the HTTP Response Header icon in the feature list in the middle.
- In the Actions pane on the right side, click Add.
- In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
- Click OK to save your changes.
For more information :- http://support.microsoft.com/kb/2694329
Please feel free to post here, If have any questions
