Session Cookie set without 'Secure' Flag but protected by HSTS

By
Sooraj V Nair
Published on
19 Jun 2018
2 min read
Vulnerability
HSTS
Cookies Attributes

Cookies are used to manage state, handle logins or to track you for advertising purposes and should be kept safe. The process involved in setting a cookie is:-

  1. The server asks your browser to set a cookie.

  2. It gives a name, value and other parameters.

  3. Browser stores the data in disk or memory. This feature depends on the cookie type.

If the cookies are not set as secure, the browser will then send the cookie as a plain text through the communication channel. The attacker can intercept this communication to access sensitive information. To exploit this vulnerability, the attacker must position himself at the correct position to eavesdrop the communication. This attack is possible when the user uses an insecure connection like public WiFi or office with a compromised system.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.

  • show user false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following fixes:-

JAVA - Servlet 3.0 (Java EE 6)

Java supports secure flag in Cookie interface. Methods setSecure and isSecure can be used to set and check for a secure value in cookies.

web.xml

Add the following code in web.xml

    <session-config>
    <cookie-config>
    <secure>true</secure>
    </cookie-config>
    </session-config>

    

JAVA - Tomcat

Add a custom header:

        String sessionid = request.getSession().getId();
        response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; secure");

    

ASP.NET

Insert the following in web.config:

        : <httpCookies requireSSL="true" />

    

PHP

Add the following line in php.ini:

        session.cookie_secure = True

    

If the script is via a function.:

        bool setcookie  ( string $name  [, string $value  [, int $expire= 0  [, string $path 
        [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]]] )

    
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.