Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in netdisco/netdisco

Valid

Reported on

Sep 27th 2021


Description

Session cookie dancer.session is not marked with 'Secure'

Proof of Concept

  1. Go to demo page https://netdisco2-demo.herokuapp.com, the page will automatically logs in as guest
  2. Open Firefox developer and see that the cookie dancer.session is not marked with 'Secure'
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the netdisco team and are waiting to hear back 2 months ago
netdisco/netdisco maintainer
2 months ago

Maintainer


Hello! Thank you for this alert! We have amended the site configuration to use cookies marked for secure sessions only: https://github.com/netdisco/netdisco2-demo/blob/master/environments/deployment.yml#L9

netdisco/netdisco maintainer validated this vulnerability 2 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
netdisco/netdisco maintainer confirmed that a fix has been merged on 0cef3b 2 months ago
The fix bounty has been dropped