When a Cookie has the Secure flag set, that cookie will not be sent over a non-encrypted connection. If the Secure attribute is not set on a sensitive cookie, the cookie will be sent in plaintext and an attacker might intercept it. If an attacker is able to intercept a session cookie, they can impersonate an authenticated user. This vulnerability affects web applications that use authentication.
Sending a sensitive cookie in plaintext creates a risk that an eavesdropping attacker might intercept it. Once the attacker has intercepted a session cookie, they can use it to hijack the user's session. Hijacking the user's session allows the attacker to impersonate that user. If the attacker hijacks an administrator's session, the attacker can take full control of the application.
To prevent this problem, set Secure and HTTP-Only flags on all sensitive cookies and send session cookies over HTTPS.
Set Secure and HTTP-Only flags on all sensitive cookies:
Send session cookies only over HTTPS:
To check for adequate protection against this vulnerability, find all code that stores session cookies to ensure that it sets the Secure flag, and ensure that session cookies are sent over HTTPS.
Secure and HTTP-Only flags are set on all sensitive cookies:
Session cookies are sent only over HTTPS:
Computer Based Training Links
Use the following Computer Based Training courses for more background information about this type of vulnerabilities.
OWASP Top Threats & Mitigations
This course examines in depth the vulnerabilities, threats, and mitigations described in the OWASP Top 10 2013. Upon completion of this class, participants will be able to identify and mitigate the greatest threats that web application developers face, including: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, and Unvalidated Redirects and Forwards.
Valid login credentials and enrollment in the course itself are required to access Team Professor content. If you need login credentials, please contact firstname.lastname@example.org for help.
- For more information about this vulnerability type, see http://minsky.gsi.dit.upm.es/semanticwiki/index.php/Sensitive_Cookie_in_HTTPS_Session_Without_%27Secure%27_Attribute