Title: insecure_cookies Vulnerability on PUT:/api/v1/transfers
Project: NB 58
Description:
Assertion
Overview: Cookies are commonly used to conveniently store information client side, such as for API authentication. If used with insecure settings they can be used as an attack vector and a source of data leaks. This category checks the cookies are set to only be allowed over a secure connection and they cannot be accessed by client side javascript. The secure connection keeps them from being intercepted. Not allowing javascript to read the values will help keep malicious websites from harvesting the cookie data.
Title: insecure_cookies Vulnerability on PUT:/api/v1/transfers Project: NB 58 Description:
Assertion
Overview: Cookies are commonly used to conveniently store information client side, such as for API authentication. If used with insecure settings they can be used as an attack vector and a source of data leaks. This category checks the cookies are set to only be allowed over a secure connection and they cannot be accessed by client side javascript. The secure connection keeps them from being intercepted. Not allowing javascript to read the values will help keep malicious websites from harvesting the cookie data.
Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/transfers Environment: Master Playbook: ApiV1TransfersPutInsecureCookies Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs: 05:04:21 [D] [AVTPICookies] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/transfers] 05:04:21 [D] [AVTPICookies] : Method [PUT] 05:04:21 [D] [AVTPICookies] : Authorization [Default] 05:04:21 [D] [AVTPICookies] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization:"Basic *****"]] 05:04:21 [D] [AVTPICookies] : Request [{ "confirmed" : false, "createdBy" : "", "createdDate" : "", "description" : "75Fpx3a6", "id" : "", "inactive" : false, "location" : "75Fpx3a6", "modifiedBy" : "", "modifiedDate" : "", "transactionType" : "ATM", "version" : "" }] 05:04:21 [D] [AVTPICookies] : Status code [200] 05:04:21 [D] [AVTPICookies] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=NWU5YWM1ZGYtYzgwMS00NWNmLWI3ODYtNzJhYzA4NDE1ZWZm; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 19 Jan 2023 05:04:21 GMT"]] 05:04:21 [D] [AVTPICookies] : Response [Hidden]. //To view the response set 'showResponse: true' under policies 05:04:21 [D] [AVTPICookies] : Response time [275] 05:04:21 [D] [AVTPICookies] : Response size [483] 05:04:21 [E] [AVTPICookies] : Assertion [@StatusCode != 200] resolved-to [200 != 200] result [Failed]
IMPORTANT LINKS
Vulnerability Details: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c869e92b10bb/details
Project: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard
Environment: https://cloud.apisec.ai/#/app/config-environments/projects/8adc80ec84e1cb220184e5f27d494dfb/environmentList
Scan Dashboard: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/profiles/8adc80eb84e1c98e0184e5f2a02953c6/runs/8adc823d85bef6cb0185c869930d41f6
Playbook: https://cloud.apisec.ai/#/app/projects/8adc80ec84e1cb220184e5f27d494dfb/playbooks/ApiV1TransfersPutInsecureCookies
Coverage: https://cloud.apisec.ai/#/app/config-categories/projects/8adc80ec84e1cb220184e5f27d494dfb/categories
Code Sample: https://cloud.apisec.ai/#/app/vulnerabilities/projects/8adc80ec84e1cb220184e5f27d494dfb/dashboard/8adc823e85befabf0185c869e92b10bb/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---