Project

General

Profile

Actions

Bug #7573

closed

Cookies in default configuration are not marked Secure

Added by Pavel Kácha 10 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Category:
Development - Tools
Target version:
Start date:
03/22/2022
Due date:
% Done:

100%

Estimated time:
To be discussed:

Description

Nessus info

Synopsis

HTTP session cookies might be transmitted in cleartext.

Description

The remote web application sets various cookies throughout a user's unauthenticated and authenticated session. However, there are instances where the application is running over unencrypted HTTP or the cookies are not marked 'secure', meaning the browser could send them back over an unencrypted link under certain circumstances. As a result, it may be possible for a remote attacker to intercept these cookies.

Note that this plugin detects all general cookies missing the 'secure' cookie flag, whereas plugin 49218 (Web Application Session Cookies Not Marked Secure) will only detect session cookies from an authenticated session missing the secure cookie flag.

Links and related


Related issues

Related to Mentat - Bug #7574: Non-compliant Strict Transport Security (STS)ClosedRajmund Hruška03/23/2022

Actions
Actions

Also available in: Atom PDF