search

hypothesis / product-backlog

Where new feature ideas and current bugs for the Hypothesis product live
118 stars 7 forks source link

Security vulnerability - V-002 Cookies Set Without Secure Flag - `Medium` #1524

Closed indigobravo closed 11 months ago

indigobravo commented 1 year ago

Overview

Impacts

Description

The following is taken from the Draft SubGraph 2023 Security Review

Discussion

Cookies set during the login process are not set with the Secure flag. This means that the browser may send them when making HTTP requests under some specific circumstances, with older browsers being more exposed. The Pyramid Python framework apparently does not set the secure flag by default, which may be the root cause of this issue.

Screenshot 2023-08-28 at 08 32 28

Impact Analysis

This issue is mitigated by the following:

  • Modernbrowserswillnotsendcredentialsbydefaultunlesstheoriginatingrequestisfromapage that matches the origin
  • TheapplicationserversendsaStrict-Transport-Securityheaderwithamax-ageof6monthsand instructs the browser to include subdomains

This reduces the opportunities for exploitation, but does not eliminate them.

Remediation Recommendations

Add the secure flag to cookies that are set following a successful login. For applications that use the Pyramid framework, this is documented here:

robertknight commented 11 months ago

Per https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies:

A cookie with the Secure attribute is only sent to the server with an encrypted request over the HTTPS protocol.

It should be fine to enable this flag in QA + production, since all requests go over HTTPS, but we'd want to disable it in development.

I did some testing locally setting the secure flag and it seems that Chrome and Firefox's "treat localhost as HTTPS" feature works for secure cookies too, so if you're only testing in those browsers you could set this flag all the time. However Safari does not support this behavior, and sometimes developers might have reasons to test h environments that are not hosted over HTTPS.

In production we always redirect HTTP traffic to HTTPS, so we could determine whether to set the Secure flag based on the protocol in the request. If the user connected to the site over HTTPS, we can assume that all other traffic which needs to include the cookie will also go over HTTPS too.