insecure_cookies on POST:/api/v1/primary-account/primary-account

[jaleelsyed]

Title: insecure_cookies Vulnerability on POST:/api/v1/primary-account/primary-account Project: NB 58 Description:

Assertion

Overview: Cookies are commonly used to conveniently store information client side, such as for API authentication. If used with insecure settings they can be used as an attack vector and a source of data leaks. This category checks the cookies are set to only be allowed over a secure connection and they cannot be accessed by client side javascript. The secure connection keeps them from being intercepted. Not allowing javascript to read the values will help keep malicious websites from harvesting the cookie data.

<p><font style="color: #ef5350;"><b>Severity:</b> High</font></p>
<p><font style="color: #ef5350;"><b>Impact:</b> High</font></p>
<p><font style="color: #ef5350;"><b>Exploitation:</b> High</font></p>

<p><font style="color: #ef5350;"><b>References:</b></font>
    <ul>
        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security">Mozilla guide on secure cookies</li>
        <li><a href="https://owasp.org/www-community/controls/SecureCookieAttribute">OWASP guide on secure flag</li>
        <li><a href="https://owasp.org/www-community/HttpOnly">OWASP guide on httpOnly flag</a></li>
    </ul>
</p>Risk: insecure_cookies

Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/primary-account/primary-account Environment: Master Playbook: ApiV1PrimaryAccountPrimaryAccountPostInsecureCookies Researcher: [apisec Bot]

QUICK TIPS

Suggestion: Effort Estimate: null Hrs Wire Logs: 05:04:09 [D] [AVPAPAPICookies] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/primary-account/primary-account] 05:04:09 [D] [AVPAPAPICookies] : Method [POST] 05:04:09 [D] [AVPAPAPICookies] : Authorization [Default] 05:04:09 [D] [AVPAPAPICookies] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic *****"]] 05:04:09 [D] [AVPAPAPICookies] : Request [{ "accountBalance" : 2107453856, "accountNumber" : 2107453856, "accountType" : "SAVING", "createdBy" : "", "createdDate" : "", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "version" : "" }] 05:04:09 [D] [AVPAPAPICookies] : Status code [200] 05:04:09 [D] [AVPAPAPICookies] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=YzI4ZWI0NDItNzg4Yy00YjM5LTk3N2ItMzQ0ZWRlZjY3ZDJl; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:09 GMT"]] 05:04:09 [D] [AVPAPAPICookies] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:09 [D] [AVPAPAPICookies] : Response time [220] 05:04:09 [D] [AVPAPAPICookies] : Response size [472] 05:04:09 [E] [AVPAPAPICookies] : Assertion [@StatusCode != 200] resolved-to [200 != 200] result [Failed]

IMPORTANT LINKS

Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869bb0e184f/details

Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard

Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList

Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc823d85bef6cb0185c869930d41f6

Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1PrimaryAccountPrimaryAccountPostInsecureCookies

Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories

Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc81e585bef95e0185c869bb0e184f/codesamples

PS: Please contact support@apisec.ai for apisec access and login issues.

--- apisec Bot ---