Bug #4069
closedcookie_test causes false positives in vulnerability scanners
100%
Description
openvas reports vulnerability:
Vulnerability Detection Result
The cookies:
Set-Cookie: cookie_test=1417649215
are missing the secure attribute.
Affected Software/OS
Server with SSL.
Workaround: Set the 'secure' attribute for any cookies that are sent over an SSL connection.
Vulnerability Insight
The flaw is due to SSL cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.
Impact Level: Application
Vulnerability Detection Method
Details: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661)
Version used: $Revision: 836 $
References
Other: http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
Updated by Chris Buechler about 10 years ago
- Status changed from New to Rejected
every meaningful cookie sets secure in all versions. That's flagging on the cookie_test that does nothing but check whether your browser's cookies function.
Updated by Chris Buechler about 10 years ago
- Subject changed from Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability to cookie_test causes false positives in vulnerability scanners
- Category set to Web Interface
- Status changed from Rejected to Confirmed
- Priority changed from Normal to Low
- Target version set to 2.2
- Affected Version changed from 2.1.5 to All
After further consideration, I will make this a bug, but corrected to the real issue (subject fixed). We can make people's lives easier in audits by getting rid of this false positive, just setting the cookie parameters on cookie_test the same as the session cookie.
There is no security issue here, but where we can eliminate false positives in common vulnerability scanners, it's good to do so.
Updated by Renato Botelho almost 10 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 39c502347d5a87a2376f74b912c1281ba79131ee.
Updated by Renato Botelho almost 10 years ago
Applied in changeset b785a40bac3b2aeee993fd3302eff7e781654586.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Confirmed
- Assignee changed from Chris Buechler to Renato Botelho
this exhibits the behavior I was seeing in a fix I attempted, then got sidetracked on other things after not quickly seeing the reason why. cookie_test is no longer set now, yet it still lets you log in.
Updated by Renato Botelho almost 10 years ago
- Status changed from Confirmed to Feedback
Applied in changeset ce997e6a88e9eb23c03b73f89d38257ce37a4023.
Updated by Renato Botelho almost 10 years ago
Applied in changeset 9156a51d0cb8f7124be3c173ea9bebc057f662b5.