com.contrastsecurity.grizzly.sinks.CookieFlagSinkHandler#service(), line 21
... explicitly tells the browser that the cookie is allowed to be sent over insecure channels:
cookie.setSecure(false)
What's the risk?
Setting the 'secure' flag on cookies prevents the browser from sending them over a connection that isn't encrypted with SSL or TLS. This code creates a cookie without setting the secure flag, creating the possibility that an attacker could gain access to it on an unencrypted connection. If this cookie is used for authentication or session management, disclosing it could allow account hijacking. Other cookies may also be sensitive and shoukd not be disclosed. Note that an attack called sidejacking tricks browsers into using unencrypted connections even if your site generally uses encryption.
Recommendation
Ensure that the javax.servlet.http.Cookie#setSecure() method is called for this cookie with a parameter of "true".
Vulnerability ID: 4I9W-WWAW-FCJL-8WYR
Application Name: Pluto
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/0f9338c6-352f-418b-9d89-696406640d91/vulns/4I9W-WWAW-FCJL-8WYR
What Happened?
The code:
com.contrastsecurity.grizzly.sinks.CookieFlagSinkHandler#service(), line 21
... explicitly tells the browser that the cookie is allowed to be sent over insecure channels:
cookie.setSecure(false)
What's the risk?
Setting the 'secure' flag on cookies prevents the browser from sending them over a connection that isn't encrypted with SSL or TLS. This code creates a cookie without setting the secure flag, creating the possibility that an attacker could gain access to it on an unencrypted connection. If this cookie is used for authentication or session management, disclosing it could allow account hijacking. Other cookies may also be sensitive and shoukd not be disclosed. Note that an attack called sidejacking tricks browsers into using unencrypted connections even if your site generally uses encryption.
Recommendation
Ensure that the javax.servlet.http.Cookie#setSecure() method is called for this cookie with a parameter of "true".
First Event
Last Event
HTTP Request
GET http://localhost:32841/grizzly/cookie-sink HTTP/1.1 Contrast-Mq-Name: queue-145-GrizzlyIT.it_tests_grizzly_sinks_register_as_vulnerabilities-contrastsecurity-docker.jfrog.io/contrast/grizzly:rev7 Host: localhost:32841 Connection: Keep-Alive Accept-Encoding: gzip User-Agent: okhttp/3.9.1
References
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management