KodeStar
commented
2 years ago Set SESSION_SECURE_COOKIE=true in /config/www/.env
Closed p0457 closed 2 years ago
KodeStar
commented
2 years ago Set SESSION_SECURE_COOKIE=true in /config/www/.env
My Heimdall Docker installation was scanned by OpenVAS and I found an insecure use of the cookie implementation, as well as a missing httpOnly attribute. I anticipate these are an easy fix but I haven't become familiar with the project yet.
The solution is to
set the 'secure' attribute for any cookies that are sent over a SSL/TLS connection.and toset the 'httpOnly' attribute for any session cookie.Vulnerability Insight for secure attribute:
The flaw is due to cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.
Vulnerability Insight for httpOnly attribute:
The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
References for secure attribute:
https://www.owasp.org/index.php/SecureFlag http://www.ietf.org/rfc/rfc2965.txt https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
References for httpOnly attribute:
https://www.owasp.org/index.php/HttpOnly https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)