Project

General

Profile

Actions

Bug #4069

closed

cookie_test causes false positives in vulnerability scanners

Added by Koen de Boeve almost 10 years ago. Updated almost 10 years ago.

Status:
Resolved
Priority:
Low
Category:
Web Interface
Target version:
Start date:
12/03/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

openvas reports vulnerability:

Vulnerability Detection Result
The cookies:

Set-Cookie: cookie_test=1417649215

are missing the secure attribute.
Affected Software/OS
Server with SSL.

Workaround: Set the 'secure' attribute for any cookies that are sent over an SSL connection.

Vulnerability Insight
The flaw is due to SSL cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. remote systems.

Impact Level: Application

Vulnerability Detection Method
Details: Missing Secure Attribute SSL Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 836 $

References
Other: http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

Actions

Also available in: Atom PDF