- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Character Set Security
Character sets tell browsers what type of text they are receiving from your site, for instance text in English or text in Chinese. Each document or page on your site should include a well-defined character set. Such as UTF-8 or USASCII.
How are Character Sets Used in Application Security?
Leaving out a character set can cause some browsers to 'guess' the correct character set. If they guess incorrectly, an attacker could generate cross site scripting attacks against your users. Generally this is not a threat unless users have access to modify or upload content to your site.
Using an incorrect character set is potentially worse than leaving no character set. An incorrect character set can allow an attacker to craft special content to send to your site, knowing beforehand how it will render, leading to cross site scripting vulnerabilities.
How Does this Impact my Security?
Incorrect or missing character sets span the security range from low risk to high risk. In lower impact cases, the improper character set is highly unlikely to result in a security vulnerability, but may impact users from different countries in different ways. Some browsers may guess your character set incorrectly, causing your site to appear as if written in a different language. Therefore, it is suggested that all character sets be set correctly, to maximize the usability of your site.
Higher risk character set settings are set on renderables, such as an image. An incorrect character set here can trigger cross site scripting attacks, and can lead to loss of user data and privacy.
Solutions
Ensure that each page containing text also includes a character set, and make sure the character set is correct for your content. In nearly all cases, the UTF-8 character set is a good choice for text; however each specific case may vary. To set the character set on your page, including html tags at the top of each page found in the security scan to read something similar to the below. Note that character sets are often set at the same time as content type.
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Additional Resources
Find Insecure Settings on your Webserver
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including character set setup. See how the Golem Scan can help your business today.
