AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Missing Secure Cookie Attribute

The attacker may be able to steal session ids or critical cookie values in cleartext by forcing the client’s browser to use HTTP instead of HTTPS.

Severity

Medium

Fix Cost

Low

Trust Level

High

Authenticated Session IDs, which is given to a user after a successful authentication attempt, uniquely identifies the related user and are travelled through HTTP Cookies. These cookies are present at every HTTP request thereafter to make sure that the requester is the user that was previously authenticated.

Therefore, if an adversary intercepts any of the HTTP requests between the victim user’s browser and the target server, he may be able to steal the session cookie and pose as the victim itself.

The main protection against such a man in the middle attack is using SSL (HTTPS) with valid certificates at the server side. If SSL is used and the attacker intercepts the traffic, he won’t be able to decrypt the messages (and session cookie). However, if somehow the web application contains both HTTP and HTTPS links or assets, which is called mixed content, then when the user clicks an HTTP link after authentication, the session cookie will travel to the target web application on an HTTP traffic. And a traffic intercepting adversary can easily steal cookies in plaintext.

Here’s a code that might using custom cookies as a session identifier.

            
HttpCookie cookie = new HttpCookie("SessionID", token);
cookie.Secure = false;
Response.Cookies.Add(cookie);
                    
              

Or here’s a http cookie configuration;

            
<configuration>
<system.web>
<httpCookies requiressl="false">
                

Authenticated Session IDs, which is given to a user after a successful authentication attempt, uniquely identifies the related user and are travelled through HTTP Cookies. These cookies are present at every HTTP request thereafter to make sure that the requester is the user that was previously authenticated.

Therefore, if an adversary intercepts any of the HTTP requests between the victim user’s browser and the target server, he may be able to steal the session cookie and pose as the victim itself.

The main protection against such a man in the middle attack is using SSL (HTTPS) with valid certificates at the server side. If SSL is used and the attacker intercepts the traffic, he won’t be able to decrypt the messages (and session cookie). However, if somehow the web application contains both HTTP and HTTPS links or assets, which is called mixed content, then when the user clicks an HTTP link after authentication, the session cookie will travel to the target web application on an HTTP traffic. And a traffic intercepting adversary can easily steal cookies in plaintext.

Here’s a code that might using custom cookies as a session identifier.

            
Cookie cookie = new Cookie("mycookie");
cookie.setSecure(false);
                   

And here’s the configuration style in web.xml for session cookies for Servlet 3.0 and upwards;

            
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
                
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!