If you are using https pages or some of the pages (payment pages etc) in your website, keep the following in your mind. In some browsers especially IE shows warning of non-secured content in secured page. This cause user the feeling that the website is not secured.

1. Use relative url always. Relative URL means those without starting with http:// or https://, instead use relative url.
2. If you need to use full url, use dynamic base name in with your programming language.For example in PHP, define BASE_URL = http://www.yoursite.com and use this variable in every links and forms. Change the BASE_URL value between http and https depending upon the protocol ($_SERVER['HTTP_HOST'])
3. Check  inside javascript function whether it is calling any non-secured url. (For example, sometime you may use full url inside Javascript). Check using if condition to decide, which protocol to use, like what Google Analytic does.
   eg:  (“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
4. Check if there is any flash content which tries to load data from non-secured url. There is a chance to load some xml configuration files using http protocol
5. Also change the codebase parameter value in object tag (flash or other media) whether it is pointing http or https url. There is a chance for this url in flash content.
   codebase=”http://download.macromedia.com/pub/shockwave /cabs/flash/swflash.cab#version=9,0,115,0″
   Change this url to https://downoad…
   
   
6. If you are using facebook connect or such integration, check the javascript initialisation code.
   FB.init(“78bc8ffb87c41eabb6395a2045c76021″, “/xd_receiver.htm“);
   Inside the xd_receiver.htm file, the cross platform callback will be non secured url (http)
   Change this to xd_reciver_ssl.htm and use new code, which is available in Facebook documentation

Tools like Fiddler can be used to check which url is non-secured. Firebug cannot show all non-secure connections. If the above steps do not solve your problem, try disabling javascript files one by one to point out which call is making the problem. Also try this by disabling Flash objects one by one.

Good luck guys

Cheers

Sajith

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith