#Expliot title : kentwood - cross site scripting (XSS) - session cookie without secure flag #Vendor Homepage: https://kentwood.us #Date: 2020-07-12 #Tested on : windows 10 #Risk: medium #vesion: 0.1 #category:webapps ################################ cross site scripting: #Discussion: Cross-site scripting (XSS) is a class of vulnerabilities affecting web applications that can result in security controls implemented in browsers being circumvented. When a browser visits a page on a website, script code originating in the website domain can access and manipulate the DOM (document object model), a representation of the page and its properties in the browser. Script code from another website can not. This is known as the "same origin policy", a critical control in the browser security model. Cross-site scripting vulnerabilities occur when a lack of input validation permits users to inject script code into the target website such that it runs in the browser of another user who is visiting the same website. This would circumvent the browser same-origin policy because the browser has no way to distinguish authentic script code from inauthentic, apart from its origin. #Impact The precise impact depends greatly on the application. XSS is generally a threat to web applications which have authenticated users or are otherwise security sensitive. Malicious code may be able to manipulate the content of the site, changing its appearance and/or function for another user. This includes modifying the behavior of the web application (such as redirecting forms, etc). The code may also be able to perform actions within the application without user knowledge. Script code can also obtain and retransmit cookie values if they haven't been set HttpOnly. #Remediation The developer must identify how the untrustworthy data is being output to the client without adequate filtering. There are various language/platform specific techniques for filtering untrustworthy data. #Request: GET /search.php?q=1'%20-->">'>'" ##################################### session cookie without secure flag #Resource Content: PHPSESSID=7f87od2b17eia94uki4pcfcf53; path=/ #Discussion: I detected that a known session cookie may have been set without the secure flag. #Impact: 1.Cookies can be exposed to network eavesdroppers. 2.Session cookies are authentication credentials; attackers who obtain them can get unauthorized access to affected web applications. #Remediation: When creating the cookie in the code, set the secure flag to true. ####################### #discovered by : NC01