Advertisement






jackwebster - session cookie without secure flag

CVE Category Price Severity
CVE-2021-12345 CWE-614 $500 High
Author Risk Exploitation Type Date
Jack Webster Critical Remote 2020-12-14
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020120095

Below is a copy:

jackwebster - session cookie without secure flag
#Expliot title :  jackwebster - session cookie without secure flag
#Vendor Homepage: http://www.jackwebster.com
#Google dork: inurl:/winners.php?year=2008&type= /winners.php?

#vulnerabilitys:
session coolie without secure flag  | Risk= medium
Directory listin              | Risk= Low
HTTP trace support        | Risk= low

#Date: 12-13-2020
#Tested on : windows 10
#vesion: 0.1
#category:webapps
################################
session cookie without secure flag
#Resource Content
PHPSESSID=3c43bd6f3ae50739e5972394dded2da0; path=/
#Discussion: I detected that a known session cookie may have been set without the secure flag. 
#Impact
Cookies can be exposed to network eavesdroppers. 
Session cookies are authentication credentials; attackers who obtain them can get unauthorized access to affected web applications. 
#Remediation: When creating the cookie in the code, set the secure flag to true. 
#####################################

HTTP trace support:
Resource Content
TRACE /jwf.ico HTTP/1.1
SQUEEM1SH: OSS1FR4GE
Accept-Encoding: gzip,deflate
Host: www.jackwebster.com
Connection: Keep-Alive
User-Agent: UserAgent
Cookie: PHPSESSID=3c43bd6f3ae50739e5972394dded2da0
Cookie2: $Version=1

#Discussion
HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies. 
Impact
Allowing HTTP TRACE can permit cross-site tracing. 
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value of HttpOnly cookies. 

#Remediation
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE. 
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE.. 

#External Remediation Guidelines
Below are some links to third-party guidelines, tutorials and other documentation that may be useful in understanding and/or addressing this finding. 


#IBM HTTP Server: Disabling the HTTP TRACE method

#Apache 2: TraceEnable Directive

#Windows Server 2012: WWW Service Registry Entries - EnableTraceMethod

#W2K3 Server: WWW Service Registry Entries - Enable TraceMethod
#################################

HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies. 
Impact
Allowing HTTP TRACE can permit cross-site tracing. 
Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value of HttpOnly cookies. 

#Remediation
For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE. 
For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE.. 

#External Remediation Guidelines
Below are some links to third-party guidelines, tutorials and other documentation that may be useful in understanding and/or addressing this finding. 

#IBM HTTP Server: Disabling the HTTP TRACE method
#Apache 2: TraceEnable Directive
#Windows Server 2012: WWW Service Registry Entries - EnableTraceMethod
#W2K3 Server: WWW Service Registry Entries - Enable TraceMethod
#################################


#discovered by : NC01 

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum