jackwebster - session cookie without secure flag

2020.12.14
ir nc01 (IR) ir
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Expliot title : jackwebster - session cookie without secure flag #Vendor Homepage: http://www.jackwebster.com #Google dork: inurl:/winners.php?year=2008&type= /winners.php? #vulnerabilitys: session coolie without secure flag | Risk= medium Directory listin | Risk= Low HTTP trace support | Risk= low #Date: 12-13-2020 #Tested on : windows 10 #vesion: 0.1 #category:webapps ################################ session cookie without secure flag #Resource Content PHPSESSID=3c43bd6f3ae50739e5972394dded2da0; path=/ #Discussion: I detected that a known session cookie may have been set without the secure flag. #Impact Cookies can be exposed to network eavesdroppers. Session cookies are authentication credentials; attackers who obtain them can get unauthorized access to affected web applications. #Remediation: When creating the cookie in the code, set the secure flag to true. ##################################### HTTP trace support: Resource Content TRACE /jwf.ico HTTP/1.1 SQUEEM1SH: OSS1FR4GE Accept-Encoding: gzip,deflate Host: www.jackwebster.com Connection: Keep-Alive User-Agent: UserAgent Cookie: PHPSESSID=3c43bd6f3ae50739e5972394dded2da0 Cookie2: $Version=1 #Discussion HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies. Impact Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value of HttpOnly cookies. #Remediation For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE. For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE.. #External Remediation Guidelines Below are some links to third-party guidelines, tutorials and other documentation that may be useful in understanding and/or addressing this finding. #IBM HTTP Server: Disabling the HTTP TRACE method #Apache 2: TraceEnable Directive #Windows Server 2012: WWW Service Registry Entries - EnableTraceMethod #W2K3 Server: WWW Service Registry Entries - Enable TraceMethod ################################# HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies. Impact Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value of HttpOnly cookies. #Remediation For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE. For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE.. #External Remediation Guidelines Below are some links to third-party guidelines, tutorials and other documentation that may be useful in understanding and/or addressing this finding. #IBM HTTP Server: Disabling the HTTP TRACE method #Apache 2: TraceEnable Directive #Windows Server 2012: WWW Service Registry Entries - EnableTraceMethod #W2K3 Server: WWW Service Registry Entries - Enable TraceMethod ################################# #discovered by : NC01


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top