- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
Mixed Content and SSL Security
Websites which use SSL, or securer socket layer, to encrypt some or all of their traffic, do not always encrypt every aspect of a page. For example, a website might secure the login form, but fail to send other technical files such as images or scripts in a secure fashion (https). This results in what is known as 'mixed content'.
What is Mixed Content, and How is it a Risk?
Attackers may use this information to modify data during transit, such as the images or script files, and thus compromise the entire encryption chain. Such a compromise could then lead to a loss of privacy or data for users who believe the encryption has protected them.
How Does this Impact my Security?
The risk is higher if the mixed content is a scriptable resource, such as JavaScript. It is possible that these resources could be modified during transit, resulting in a page compromise for end users as a result of various other attacks such as DNS poisoning.
Additionally, users who come to your page expecting security will receive a browser warning telling them the page contains both secure and non-secure content. This is not the most user friendly experience, and may drive some security-conscious individuals away from your site.
Preventing Mixed Content Wanings
Make sure all resources are encrypted. This requires changing all URL's throughout your site to "https" instead of "http". You can also use relative links to pull in content stored on the same server. Instead of using http://www.mysite.com/images/image1 just use images/image1.
If the content is hosted on another server you do not own and does not have SSL setup (such that an https link would break the content) consider mirroring the content on your own site to avoid this problem, or requesting the other site to setup SSL so your site can be fully secured.
Additional Resources
Find Mixed Content on your webserver
Golem Technologies includes numerous different server setting scans to help you reduce your exposure to attack with thorough security scanning, including application server setup and SSL setup scanning. See how the Golem Scan can help your business today.
