Project

General

Profile

Actions

Bug #4069

closed

cookie_test causes false positives in vulnerability scanners

Added by Koen de Boeve over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Low
Category:
Web Interface
Target version:
Start date:
12/03/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

openvas reports vulnerability:

Vulnerability Detection Result
The cookies:

Set-Cookie: cookie_test=1417649215

are missing the secure attribute.
Affected Software/OS
Server with SSL.

Workaround: Set the 'secure' attribute for any cookies that are sent over an SSL connection.

Vulnerability Insight
The flaw is due to SSL cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.

Impact Level: Application

Vulnerability Detection Method
Details: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 836 $

References
Other: http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

Actions #1

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Rejected

every meaningful cookie sets secure in all versions. That's flagging on the cookie_test that does nothing but check whether your browser's cookies function.

Actions #2

Updated by Chris Buechler over 9 years ago

  • Subject changed from Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability to cookie_test causes false positives in vulnerability scanners
  • Category set to Web Interface
  • Status changed from Rejected to Confirmed
  • Priority changed from Normal to Low
  • Target version set to 2.2
  • Affected Version changed from 2.1.5 to All

After further consideration, I will make this a bug, but corrected to the real issue (subject fixed). We can make people's lives easier in audits by getting rid of this false positive, just setting the cookie parameters on cookie_test the same as the session cookie.

There is no security issue here, but where we can eliminate false positives in common vulnerability scanners, it's good to do so.

Actions #3

Updated by Jim Thompson over 9 years ago

  • Assignee set to Chris Buechler
Actions #4

Updated by Renato Botelho about 9 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Confirmed
  • Assignee changed from Chris Buechler to Renato Botelho

this exhibits the behavior I was seeing in a fix I attempted, then got sidetracked on other things after not quickly seeing the reason why. cookie_test is no longer set now, yet it still lets you log in.

Actions #7

Updated by Renato Botelho about 9 years ago

  • Status changed from Confirmed to Feedback
Actions #9

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved

fixed

Actions

Also available in: Atom PDF