search

Code-Racing / brickyard

0 stars 0 forks source link

CONTRAST: Application Disables 'secure' Flag on Cookies observed at CookieFlagSinkHandler.java (myCookie) #60

Open valvolineford opened 4 years ago

valvolineford commented 4 years ago

Vulnerability ID: KF0S-ZINN-TAE4-HVJ1

Application Name: Pluto

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/0f9338c6-352f-418b-9d89-696406640d91/vulns/KF0S-ZINN-TAE4-HVJ1

What Happened?

The code:

com.contrastsecurity.grizzly.sinks.CookieFlagSinkHandler#service(), line 21

... explicitly tells the browser that the cookie is allowed to be sent over insecure channels:

cookie.setSecure(false)

What's the risk?

Setting the 'secure' flag on cookies prevents the browser from sending them over a connection that isn't encrypted with SSL or TLS. This code creates a cookie without setting the secure flag, creating the possibility that an attacker could gain access to it on an unencrypted connection. If this cookie is used for authentication or session management, disclosing it could allow account hijacking. Other cookies may also be sensitive and shoukd not be disclosed. Note that an attack called sidejacking tricks browsers into using unencrypted connections even if your site generally uses encryption.

Recommendation

Ensure that the javax.servlet.http.Cookie#setSecure() method is called for this cookie with a parameter of "true".

First Event


Stack:
  org.glassfish.grizzly.http.Cookie.setSecure(Cookie.java:378)
  com.contrastsecurity.grizzly.sinks.CookieFlagSinkHandler.service(CookieFlagSinkHandler.java:21)
  org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224)
  org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
  org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
  java.lang.Thread.run(Thread.java:748)

Last Event


Stack:
  org.glassfish.grizzly.http.Cookie.setSecure(Cookie.java:378)
  com.contrastsecurity.grizzly.sinks.CookieFlagSinkHandler.service(CookieFlagSinkHandler.java:21)
  org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224)
  org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:593)
  org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:573)
  java.lang.Thread.run(Thread.java:748)

HTTP Request

GET http://localhost:32841/grizzly/cookie-sink HTTP/1.1 Contrast-Mq-Name: queue-145-GrizzlyIT.it_tests_grizzly_sinks_register_as_vulnerabilities-contrastsecurity-docker.jfrog.io/contrast/grizzly:rev7 Host: localhost:32841 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: okhttp/3.9.1

References

https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management