[Web] - Missing Secure Flag on Session Cookie

Overview

Cookies are often a key attack vector for malicious users (typically targeting other users) and the application should always take due diligence to protect cookies. This section looks at how an application can take the necessary precautions when assigning cookies, and how to test that these attributes have been correctly configured.

The importance of secure use of Cookies cannot be understated, especially within dynamic web applications, which need to maintain state across a stateless protocol such as HTTP. To understand the importance of cookies it is imperative to understand what they are primarily used for. These primary functions usually consist of being used as a session authorization and authentication token or as a temporary data container. Thus, if an attacker were able to acquire a session token (for example, by exploiting a cross site scripting vulnerability or by sniffing an unencrypted session), then they could use this cookie to hijack a valid session.

Additionally, cookies are set to maintain state across multiple requests. Since HTTP is stateless, the server cannot determine if a request it receives is part of a current session or the start of a new session without some type of identifier. This identifier is very commonly a cookie although other methods are also possible. There are many different types of applications that need to keep track of session state across multiple requests. The primary one that comes to mind would be an online store. As a user adds multiple items to a shopping cart, this data needs to be retained in subsequent requests to the application. Cookies are very commonly used for this task and are set by the application using the Set-Cookie directive in the application's HTTP response, and is usually in a name=value format (if cookies are enabled and if they are supported, as is the case for all modern web browsers). Once an application has told the browser to use a particular cookie, the browser will send this cookie in each subsequent request. A cookie can contain data such as items from an online shopping cart, the price of these items, the quantity of these items, personal information, user IDs, etc.

Due to the sensitive nature of information in cookies, they are typically encoded or encrypted in an attempt to protect the information they contain. Often, multiple cookies will be set (separated by a semicolon) upon subsequent requests. For example, in the case of an online store, a new cookie could be set as the user adds multiple items to the shopping cart. Additionally, there will typically be a cookie for authentication (session token as indicated above) once the user logs in, and multiple other cookies used to identify the items the user wishes to purchase and their auxiliary information (i.e., price and quantity) in the online store type of application.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/j_spring_security_check

Steps To Reproduce

• Login to the Web application and proxy the traffic in the BurpSuite or any intercepting proxy tools.

• Observe that the application will set the JSESSIONID cookie without the HTTPOnly & Secure flag.


Severity

informational

If a cross-site-scripting vulnerability were to be discovered, an attacker could use the lack of HTTPOnly flag to access the contents of this cookie using a JavaScript payload. Hence, this issue represents a threat with Low Severity.

Suggested Fix

Set the `Secure` and `HTTPOnly` cookie flags for the session token.

Prerequisites

HTTP Request

Request:

POST /opennms/j_spring_security_check HTTP/1.1
Host: pentest24.eastus.cloudapp.azure.com
Cookie: JSESSIONID=node0rx83c072y6p3haqy9zuym13245948.node0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Origin: null
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

j_username=pentest24&j_password=uPheebahshoh4eexaegh2024&j_usergroups=&Login=

Response:

HTTP/1.1 302 Found
Server: nginx/1.20.1
Date: Mon, 15 Apr 2024 13:18:31 GMT
Content-Length: 0
Connection: close
X-Frame-Options: SAMEORIGIN
Cache-Control: no-store
Pragma: no-cache
Content-Security-Policy: default-src 'none' ; frame-src 'self' ; manifest-src 'self' ; media-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; connect-src 'self' ; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; base-uri 'self' ; form-action 'self' ; img-src 'self' https://tiles.opennms.org https://*.tile.openstreetmap.org https://*.tile.opentopomap.org data:
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
Set-Cookie: JSESSIONID=node0dyw8beznr7ia1id5ivjfygq8e45950.node0; Path=/opennms; HttpOnly; SameSite=Strict
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://pentest24.eastus.cloudapp.azure.com/opennms/frontPage.htm

Cobalt URL

#PT22584_1