Product
Features API Security Testing GraphQL Security Testing DevSecOps Compliance Cosmog: Private Tunnel WordPress Security Testing OWASP Security Testing Free Security Testing
Solutions
Pricing
Free tools
Website Security Assessment SSL Certificate Checker Domain Expiry Checker
Resources
Blog Developer Docs Help Center Guides Whitepapers Vulnerability Index Partners
Product tour
Blog Home
Cookies Attributes
04 Jul 2018

Cookie session without 'Secure' flag

04 Jul 2018
OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CAPEC-102 CWE-614 ISO27001-A.14.1.2 WASC-15 WSTG-SESS-02

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting cookie are:-

  1. The server asks the browser to set a cookie.
  2. It gives a name, value and other parameters.
  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

When an HTTP protocol is used for communication between client and server, the data traffic is sent in plaintext. An HHTP allows the attacker to see/modify the traffic using a Man-In-The-Middle attack (MITM). HTTPS is a secure version of HTTP. This protocol uses SSL/TLS to protect the data in the application layer. HTTPS is used for better authentication and data integrity. A secure flag is set by the application server while sending a new cookie to the user using an HTTP Response. The secure flag is used to prevent cookies from being observed and manipulated by an unauthorized party or parties. This is because the cookie is sent as a normal text. A browser will not send a cookie with the secure flag that is sent over an unencrypted HTTP request. That is, by setting the secure flag the browser will prevent/stop the transmission of a cookie over an unencrypted channel.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following fixes:-

Add the following code In the element.

        <httpCookies requireSSL="true" />

add requireSSL=”true” to the form’s element as well.

        <system.web>
        <authentication mode="Forms">
        <forms requireSSL="true">
        /* forms content */ </forms>
        </authentication>
        </system.web>

PHP

In PHP, this can be implemented in 3 ways

Method - 1: By using the ini_set function

        1 ini_set("session.cookie_secure", 1);

Method - 2: By using session_set_cookie_params function:

        1 session_set_cookie_params(0, NULL, NULL, TRUE, NULL);

Method - 3: By using the setcookie function

        1 setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

PRODUCT TOUR






Latest Articles

IMAP/SMTP injection
September 12 2023
7 limitations of vulnerability scanners
September 10 2023
Clickjacking attack
September 10 2023
Session Fixation Attack
July 30 2023
Vulnerability management using AI
June 29 2023

Explore morearrow



Popular in Injection

WordPress Authenticated SQL Injection
June 29 2022
SQL injection(SQLi)
May 4 2022
Union Query SQL Injection (SQLi)
July 4 2018
Stacked Queries SQL Injection (SQLi)
July 4 2018
Inline Queries SQL Injection (SQLi)
July 4 2018

Explore morearrow

Categories

Client Side URL Redirect Cookies Attributes IBM SQL Injection Injection Time Based Blind SQL Injection SSL CRLF Content Security Policy CSRF HSTS CORS Information Leakage status code SRI metadata X-XSS-Protection owasp XSS Clickjacking Cookies Directory traversal DOM XSS Blind SQL Injection XML Injection blog TLS WordPress web security SMB Cyber attacks AI Web server Data Security DOMECTF2020 Container security CMS Security Code Execution Htaccess Bypass DOMECTF2021 Press Webinar RFI DevSecOps DOMECTF2022 openssl HTTP headers Compliance AppSec
Related Articles
Session Cookie set without 'Secure' Flag but protected by HSTS
HSTS

 / 

Cookies Attributes
Session Cookie set without 'Secure' Flag but protected by HSTS
19 Jun 2018
Cookies SameSite flag invalid
Cookies Attributes
Cookies SameSite flag invalid
19 Jun 2018
Cookie set without 'Secure' flag
Cookies Attributes
Cookie set without 'Secure' flag
19 Jun 2018
Cookie anti-CSRF flag without SameSite flag
CSRF

 / 

Cookies Attributes
Cookie anti-CSRF flag without SameSite flag
19 Jun 2018
Cookie session without 'HttpOnly' flag
Cookies Attributes
Cookie session without 'HttpOnly' flag
05 Jun 2018