CWE-1004 没有'HttpOnly'标志的敏感Cookie

admin 2022年1月7日02:24:14CWE(弱点枚举)评论18 views2482字阅读8分16秒阅读模式

CWE-1004 没有'HttpOnly'标志的敏感Cookie

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium

基本描述

The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

扩展描述

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 732 cwe_View_ID: 1000 cwe_Ordinal: Primary

常见的影响

范围 影响 注释
Confidentiality Read Application Data If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Integrity Gain Privileges or Assume Identity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

可能的缓解方案

Implementation

策略:

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

示例代码

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

bad Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);
response.addCookie(c);

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

attack JavaScript

document.write(''

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

good Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);
c.setHttpOnly(true);
response.addCookie(c);

分析过的案例

标识 说明 链接
CVE-2014-3852 CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852
CVE-2015-4138 Appliance for managing encrypted communications does not use HttpOnly flag. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138

引用

文章来源于互联网:scap中文网

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月7日02:24:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-1004 没有'HttpOnly'标志的敏感Cookie http://cn-sec.com/archives/612742.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: