search

Code-Racing / brickyard

0 stars 0 forks source link

CONTRAST: Session Cookie Has No 'HttpOnly' Flag in Response.java #53

Open valvolineford opened 4 years ago

valvolineford commented 4 years ago

Vulnerability ID: WS15-T4E5-UQRB-IGHJ

Application Name: WebGoat

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/1f21baa2-741d-47df-a8ea-89ea70b18615/vulns/WS15-T4E5-UQRB-IGHJ

What Happened?

The HttpCookie created in following call from in Response.java did not contain the HttpOnly flag:

response.addHeader("Set-Cookie","JSESSIONID=B73327F913BCE80911DBC6731850CABE; Pa...")

What's the risk?

This site does not specify the HTTPOnly flag for session cookies.

In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by Cross-Site Scripting (XSS) attacks. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.

Recommendation

This site does not specify the HTTPOnly flag for its session cookie. In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by a Cross-Site Scripting (XSS) attack. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.

First Event


Stack:
  org.apache.catalina.connector.Response.addHeader(Response.java:1066)
  org.apache.catalina.connector.Response.addSessionCookieInternal(Response.java:1002)
  org.apache.catalina.connector.Request.doGetSession(Request.java:3050)
  org.apache.catalina.connector.Request.getSession(Request.java:2429)
  org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:896)
  org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:59)
  org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:201)
  org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:177)
  org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:133)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
  org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
  org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
  org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
  org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
  org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
  org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
  org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
  org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
  org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

Last Event


Stack:
  org.apache.catalina.connector.Response.addHeader(Response.java:1066)
  org.apache.catalina.connector.Response.addSessionCookieInternal(Response.java:1002)
  org.apache.catalina.connector.Request.doGetSession(Request.java:3050)
  org.apache.catalina.connector.Request.getSession(Request.java:2429)
  org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:896)
  org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:240)
  org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:59)
  org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:201)
  org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:177)
  org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:133)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
  org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
  org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
  org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
  org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106)
  org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
  org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
  org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
  org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
  org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
  org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
  org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
  java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

HTTP Request

GET http://localhost:8080/WebGoat/ HTTP/1.0 Accept-Language: en-US,en;q=0.5 Cookie: AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0 Upgrade-Insecure-Requests: 1 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8

References

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management