Chong Hwi

Joined

240 Experience
0 Lessons Completed
0 Questions Solved

Activity

Posted in Overly Detailed Internal Error Messages

I need help please

Posted in Incorrect Content-Type Response Headers

I need help please

Posted in No Client-side Encryption of Passwords

anyone can help?

Posted in Unsafe-inline

Anyone?

Posted in Unsafe-inline

My apps need the following settings to get working:
script-src 'self' 'unsafe-inline'
style-src 'self' 'unsafe-inline'

unfortunately this doesn't pass the pen-test and they requested to remove the "unsafe-inline"

Question: Is there any method to get this void?

Posted in No Client-side Encryption of Passwords

There are no client-side encryption of passwords when they are sent to the web server. In mitigation, the passwords are already protected by SSL/TLS during transit. An example of the POST request is as follows:
user[email]=user@gorails.com&user[password]=****************

*Password has been masked for confidentiality purposes.

Posted in Incorrect Content-Type Response Headers

Incorrect Content-Type response headers were found to be in use:
Content-Type: application/octet-stream is being used for PDF and Zip downloads.

How do I config the PDF and ZIP files to
Content-Type: application/pdf
Content-Type: application/zip

Posted in Overly Detailed Internal Error Messages

Errors which previously caused stack traces to be shown now only show the following generic error:
"The page you were looking for doesn't exist." However, the server responded with the response code "500 Internal Server Error". This is dangerous as an attacker can deduce the kind of input that causes the server to behave erratically.

I need help for the configuration to keep the generic error, but respond with response code 2XX or 3XX to close this Finding.