Security Research
Showing results for 
Search instead for 
Do you mean Affordable Care should be Secure Care

nidhishah on ‎10-04-2013 05:45 PM is undoubtedly the most important site of the week. The site handles the sensitive information of millions of Americans: health history, identity, tax records and more. A project this important, naturally, is attractive to both security researchers and malicious attackers looking to identify security issues. The only difference is that security researchers stick to passive analysis and malicious attackers look for ways to exploit what they find. In this post, we will outline three quick observations that would encourage a malicious attacker to try to exploit the site. While these observations don’t indicate that the site already has any major vulnerability, they are red flags and, given the potential benefit, an attacker has plenty of motivation to explore further. A site this public and this important should follow security best practices from line one of code and configuration.

  1. Access-Control-Allow-Origin: * This header is a part of an HTML5 Cross-Origin Resource Shring (CORS) feature, enabling sites to do cross-domain communication. The header is used to restrict the domains that can make an AJAX request to and access the content of the response. A value of “*” for this header indicates that any site can initiate a request to and receive the response. We could not access authenticated area of (the site was overloaded) but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like Cross-Site Request Forgery (CSRF). Failing to restrict cross-domain communication can allow a malicious site to send requests, including POST requests, to on victim’s behalf and gain access to his health records, and possibly enough information to steal his identity. should reconsider enablement of CORS feature on this site. Any required cross-domain functionality should be moved to web services. If that is not possible, they should restrict the value of this header to specific domains and specific functionality.
  2. No X-Frame-Options header: The X-Frame-Options header offers protection against Clickjacking attacks. Clickjacking is an attack where the attacker deceives a user into clicking an hidden element on a web page instead of the intended visible element. A successful clickjacking attack could disable certain security protections and submit a form on user’s behalf. Many sites implement frame-busting logic, a JavaScript solution, to protect against clickjacking. However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless. To our surprise, does not deploy any defense and the site can be easily framed inside an HTML iFrame tag. 
  3. Missing HTTPOnly and Secure flags for Cookies: These HTTP header attributes protect the theft of cookies using JavaScript injected through Cross-Site Scripting or other flaws. The flags instruct the browser to prevent cookie access via JavaScript, preventing an attacker from stealing any sensitive information stored in the cookie, such as the session ID. uses cookies to maintain user history on the site and user identification. However, it is not known whether the user identification is used as session identification too. Regardless, a user’s search history or visiting history could reveal sensitive information such as the possible health issues, income level, and marital status. should employ these flags to protect cookies. 

This is a very important site for a lot of people and, no matter how challenging it is to keep up with demand, security should never be put on the back burner. A site built upon the principals of security is naturally more reliable.



0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all