Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in kcal-app/kcal

Valid

Reported on

Sep 26th 2021


Description
Implement both Secure flag and httponly flag in the application.

Proof of Concept

Impact
The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

PoC Request

GET /foods HTTP/1.1
Host: demo.kcal.cooking
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://demo.kcal.cooking/recipes
Cookie: XSRF-TOKEN=eyJpdiI6Ik01QmdQbzJKbitGRnhFcEdvTGZPZlE9PSIsInZhbHVlIjoia3lQU2s0ZlFNdHVhZ0NnWXBhYjhkR0RtbkR1VjlzV0tQZktGQWVCUDQwNmlCQ3ZtWXpHaXYraGFYSjBndXkvd2xoS05BYkNkZFdiZDVoZVVQTlQ5TXNIMG1HQ1NXYTMvSmNqYkVubDBKbkN1Qmg3OW5Rcm5BVDltTkNEOS9IQ2kiLCJtYWMiOiIwYWZhODdlMTEzNjNiN2Y3MDI3MTU2YzllYTE5ZDc2NTIxZTQxNDBlN2NmYzM2OTlkNzIxNGFiY2UyYjBjOTA4In0%3D; laravel_session=eyJpdiI6IjBBbk8zNURTZHFvNE9FWW1uSkRPYkE9PSIsInZhbHVlIjoiMitFT0NFbnpzWnpPbHNaazZuUm1QSmRJQ2tXQzNnMnFpYlI5TDFLcFMvaEpyZm9BVms4d2ttaUNZQVRUR05aT04vdGF0NURJa3FBWmsxYVdLRGNNZEs2YmZYdENkSEZKS0twSkxnMVZWY1U1dlh6VmVzQXA5QkRzS0dJVEppdTQiLCJtYWMiOiI5NDY4M2EzNzg5ZTA1ZjY0OTM1MzM3Yzc5MDI1ZWZkMjU4YjNiYTQzYzJkNDQwNDBkYTRmYzllM2QwZmY3MWU5In0%3D
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 302 Found
Connection: close
Date: Sun, 26 Sep 2021 19:05:15 GMT
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImE3cWRybGJsZ3JybVNHLytQZnF6bWc9PSIsInZhbHVlIjoiMHhKd1ZTZmQvS3k3UnlmTGxrQzJ4ZjA1bHI5cEZ1a0s2OWExNlNoQkx0eG9KMHhEbVJSbXp5N3EzbnhsU2g0RWJ6b2prZmczSUpESGYwZnV1WVBvS1RCRSsvOG13SlVPV2JLSEZXNXN0WmJGVzNFcWtzNEVNMVpCYmVlODJ0enciLCJtYWMiOiJiZDc4ZTI2NGI2NWZiYjM4YzBiNGUyNjhjMjgzZmRkMWYxMjMyNjc5MzZjZmY1MTVkNTFiOWYxOWI4MTQ4YmNmIn0%3D; expires=Sun, 26-Sep-2021 21:05:15 GMT; Max-Age=7200; path=/; samesite=lax
Set-Cookie: laravel_session=eyJpdiI6IlBUcXNOK3RvV1IzYzdiZzdJTGkzTUE9PSIsInZhbHVlIjoiT21mYXJOMEt3RmhuRmpGaklLZHc0aDFwc2h3Zzlxenl0Y1k4ck40eFlMUnNLb2g1YlBwRXAzSEhJcERvWitiTjMzZ1hweloxeVRQWkJnWDdYWmRDZEhvVmxmdGFlTzVOVHREaDQxdW9YMTc3dktEaXNVL3hzeDRwWnhPQldGblAiLCJtYWMiOiJhN2YxNzZiNTNkMWYzZjQxOGNjNGNkZmNmMzQzNzQxNzZlMTg5N2MyZDM1N2M5YjBiMmI1NWUxYmY3MWVmZDQ5In0%3D; expires=Sun, 26-Sep-2021 21:05:15 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Location: http://demo.kcal.cooking/login
Content-Type: text/html; charset=UTF-8
Via: 1.1 vegur
Content-Length: 366

Solution:
if os.environ.get('SECURE_PROXY_SSL_HEADER'):
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
We have contacted a member of the kcal-app/kcal team and are waiting to hear back a year ago
Christopher Charbonneau Wells validated this vulnerability a year ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on 11f265 a year ago
Christopher Charbonneau Wells has been awarded the fix bounty
to join this conversation