Description : When the secure flag is set on a cookie, the browser will prevent it from being sent over a clear text channel (HTTP) and only allow it to be sent when an encrypted channel is used (HTTPS).
The scanner discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being sent in clear text.
Note that if the cookie does not contain sensitive information, the risk of this vulnerability is mitigated.
Solution : If the cookie contains sensitive information, then the server should ensure that the cookie has the secure flag set.
Synopsis : Cookie Without Secure Flag Detected
Description : When the
secure
flag is set on a cookie, the browser will prevent it from being sent over a clear text channel (HTTP) and only allow it to be sent when an encrypted channel is used (HTTPS).The scanner discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being sent in clear text.
Note that if the cookie does not contain sensitive information, the risk of this vulnerability is mitigated.
Solution : If the cookie contains sensitive information, then the server should ensure that the cookie has the
secure
flag set.See also :
risk_factor : low
Risk Information
cvss : 2.6 cvss_vector : CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N cvssv3 : 3.1 cvssv3_vector : CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Reference Information
cwe : 614 wasc : Insufficient Transport Layer Protection
owasp : 2010-A9,2017-A3,2013-A6,2021-A5 Input type : cookie Input name : _gat_UA-93577176-12
Identification : URL
https://www.hackthebox.com/
Detection Information
Input Type : cookie Input Name : _gat_UA-93577176-12
Proof
Set-Cookie: _gat_UA-93577176-12=1; Path=/; Domain=.hackthebox.com
Additional Details
The scanner detected a cookie named '_gat_UA-93577176-12' without the Secure flag set.
Request
| GET / HTTP/2 | Host: www.hackthebox.com | accept-encoding: gzip, deflate, br | user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4158.0 Safari/537.36 | accept: / | accept-language: en-US,en;q=0.5
Response
| HTTP/2 200 | date: Wed, 23 Feb 2022 10:16:10 GMT | content-type: text/html; charset=UTF-8 | vary: Accept-Encoding | cache-control: no-cache, private | set-cookie: XSRF-TOKEN=eyJpdiI6IlVRSjdnOHBORTA2TW1aZW9JalFSWXc9PSIsInZhbHVlIjoiNkhnZXAyNDlXV1gralpkeXNCSlUyT0tzMlhiRTJEaTR3TnZBNnlGd05RMzRBTFZyV1pNMytxdER3elwvd2swVTF1Z0pwWExQUSszOUxZaG40UURnTU93eHFVcjgyVWo3Ym5JRHBhNEw4Z292eXM0MWZOcEpOK21UZncwS01vUmU1IiwibWFjIjoiM2Y2ZjUyODgwMjdiNWM3NDRmNDU2OWRkNDA4MTJiOGMzYWEzNmFhYzdiYzMwNzRmYmVhZmQ3MTc1OTY5NDU1MyJ9; expires=Wed, 23-Feb-2022 12:16:10 GMT; Max-Age=7200; path=/; secure | x-frame-options: SAMEORIGIN | x-xss-protection: 1; mode=block | x-content-type-options: nosniff | access-control-allow-origin: https://app.hackthebox.com | access-control-allow-credentials: true | access-control-allow-methods: GET, POST, PUT, DELETE, OPTIONS | access-control-allow-headers: Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With | set-cookie: hackthebox_session=eyJpdiI6IkhzVUpwVHhhQzNRek91MEFYVWU1a2c9PSIsInZhbHVlIjoiYVhTMVlOUHdnWXRuWHcxbEVVYlROeUwzZjdITDVqa1BYbWl1eCt0RWtkcTR0dVZFNmxjcXQxZGgyRW5iWHpCQzRPZGZFWm9cL3Nnamd0TWtteFZTVmF4amVmT05QSmRtb1Rnd0NJbTFlOVJrWk5KbEU1T1wvQXNZaXVyS25tTmRwdiIsIm1hYyI6ImZhMTA3ZGUyZDZlMjJhOTBhOTViYmI0ZWU4MTQ1ODUyZjU0N2QyM2Q5YmI0ZmJjMWU1NDhkYjE2NWM4ZmVkZTQifQ%3D%3D; expires=Wed, 23-Feb-2022 12:16:10 GMT; Max-Age=7200; path=/; secure; httponly | cf-cache-status: DYNAMIC | expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" | server: cloudflare | cf-ray: 6e1fb2781d7d602e-SEA | content-encoding: gzip |
Request Header : GET / HTTP/2 Host: www.hackthebox.com accept-encoding: gzip, deflate, br user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4158.0 Safari/537.36 accept: / accept-language: en-US,en;q=0.5
Response Header : GET / HTTP/2 Host: www.hackthebox.com accept-encoding: gzip, deflate, br user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4158.0 Safari/537.36 accept: / accept-language: en-US,en;q=0.5
Mitigation: If the cookie contains sensitive information, then the server should ensure that the cookie has the
secure
flag set.https://preprod.armorcode.ai/#/findings/4428494