- Testing for Cookies Attributes (WSTG-SESS-02) (OWASP)
- Use Cookiebro add-on in Firefox
Known Cookies
Cookie | Description |
ADRUM, ADRUM_BT, ADRUM_BTa, ADRUM_BTg, ADRUM_BT[1-5], ADRUM_BTs, ADRUM_BTh | Used by Appdynamics |
Reporting – Missing HTTP Only Flag, SameSite & Expiration too long
CVSS Score v3 | 2.6 (Low) |
CVSS Vector v3 | https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N&version=3.1 |
English
Title | Cookie attributes |
Description | A cookie is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser – keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. Cookies are often a key attack vector for malicious users (typically targeting other users) and the application should always take due diligence to protect cookies. A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can’t easily be accessed by a man-in-the-middle attacker. Insecure sites (with http: in the URL) can’t set cookies with the Secure attribute. However, do not assume that Secure prevents all access to sensitive information in cookies; for example, it can be read by someone with access to the client’s hard disk. A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server. For example, cookies that persist server-side sessions don’t need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate Cross-Site Scripting (XSS) attacks. The SameSite attribute is used to assert that a cookie ought not to be sent along with cross-site requests. This feature allows the server to mitigate the risk of cross-origin information leakage. In some cases, it is used too as a risk reduction (or defense in depth mechanism) strategy to prevent cross-site request forgery attacks. |
Steps to reproduce | Open a web browser and visit the website. Open the Inspector and click on the Application tab (Chrome) or Storage tab (Firefox). The expiration date is set to 20XX, the HttpOnly flag is not set and the SameSite is set to None. |
Remediation | It is recommended to review cookie configurations: Set the HttpOnly flag Set a reasonable expiration date Set the SameSite attribute Difficulty level to fix this vulnerability is assessed at “Simple”. |
French
Title | Attributs des cookies |
Description | |
Steps to reproduce | |
Remediation |