search

lcimeni / chase

0 stars 0 forks source link

NowSecure dynamic analysis: Cookie "HttpOnly" Misconfiguration Can Lead to Web Vulnerabilities #4

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

The following cookie was found to have the "HttpOnly" flag disabled. Setting the "HttpOnly" flag on a cookie prevents attacks such as cross-site scripting (XSS), because the cookie cannot be accessed via the client side (e.g., cannot be accessed using a snippet of JavaScript code). If an attacker can access via the cookie on the client side, malicious code may be written to collect that cookie and any session/authentication information.

Steps to Reproduce

While the app is running on a physical device, the test analyzes the network traffic to and from the app for attributes set within the cookies in use by the app to determine if the "HttpOnly" flag is set.

Business Impact

This app is using a setting for its communications that an attacker could potentially use to perform a type of attack called "cross site scripting". This is particularly dangerous for session cookies, which an attacker can use to hijack a user session and gain access to the users data.

Remediation Resources

It is recommended to enable the httponly flag to prevent access via a client-side script.

More information can be found on this vulnerability at https://www.owasp.org/index.php/HttpOnly#Mitigating_the_Most_Common_XSS_attack_using_HttpOnly.

There are multiple ways to enable this flag, one of which is to set it within the response header:

Set-Cookie: <name>=<value>[; <Max-Age>=<age>]
[; expires=<date>][; domain=<domain_name>]
[; path=<some_path>][; secure][; HttpOnly]

The context table below provides the source and the type of cookie which was found to be vulnerable.

Risk and Regulatory Information

Severity: medium CVSS: 5.3

Application

See more detail in the NowSecure Report