Bug #4069
closed
cookie_test causes false positives in vulnerability scanners
Added by Koen de Boeve over 11 years ago.
Updated about 11 years ago.
Description
openvas reports vulnerability:
Vulnerability Detection Result
The cookies:
Set-Cookie: cookie_test=1417649215
are missing the secure attribute.
Affected Software/OS
Server with SSL.
Workaround: Set the 'secure' attribute for any cookies that are sent over an SSL connection.
Vulnerability Insight
The flaw is due to SSL cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.
Impact Level: Application
Vulnerability Detection Method
Details: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661)
Version used: $Revision: 836 $
References
Other: http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
- Status changed from New to Rejected
every meaningful cookie sets secure in all versions. That's flagging on the cookie_test that does nothing but check whether your browser's cookies function.
- Subject changed from Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability to cookie_test causes false positives in vulnerability scanners
- Category set to Web Interface
- Status changed from Rejected to Confirmed
- Priority changed from Normal to Low
- Target version set to 2.2
- Affected Version changed from 2.1.5 to All
After further consideration, I will make this a bug, but corrected to the real issue (subject fixed). We can make people's lives easier in audits by getting rid of this false positive, just setting the cookie parameters on cookie_test the same as the session cookie.
There is no security issue here, but where we can eliminate false positives in common vulnerability scanners, it's good to do so.
- Assignee set to Chris Buechler
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset commit:39c502347d5a87a2376f74b912c1281ba79131ee.
Applied in changeset commit:b785a40bac3b2aeee993fd3302eff7e781654586.
- Status changed from Feedback to Confirmed
- Assignee changed from Chris Buechler to Renato Botelho
this exhibits the behavior I was seeing in a fix I attempted, then got sidetracked on other things after not quickly seeing the reason why. cookie_test is no longer set now, yet it still lets you log in.
- Status changed from Confirmed to Feedback
Applied in changeset commit:ce997e6a88e9eb23c03b73f89d38257ce37a4023.
Applied in changeset commit:9156a51d0cb8f7124be3c173ea9bebc057f662b5.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by