Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in jonschoning/espial


Reported on

Sep 26th 2021

Implement both Secure flag and httponly flag in the application.

Proof of Concept

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. 
The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a the cookie in clear text. To accomplish this goal, browsers which support the secure flag will only send cookies with the secure flag when the request is going to a HTTPS page. Said in another way, the browser will not send a cookie with the secure flag set over an unencrypted HTTP request. By setting the secure flag, the browser will prevent the transmission of a cookie over an unencrypted channel.

PoC Request

GET /auth/login HTTP/2
Cookie: _SESSION=xzgw30qMfWZ6tNaiZW/bFy1DtB1tpMyW+wGea+CmgWWcPrWfc3cz+b40aWnAna1QaohFT7zfYLmpKaCbNvpYirszsz4DsZFSF20SHwPWo1w/xW9SIP++t788kql0a921/OhB/RVor7qpHX1unkSlnL9qjG6Kd1KIS4IGIWlz/ZXtVtlYbe2QgDVE7umOFHczKaS+si/SFoFVvPZszyWsS7yZGBiM966o6JYH7nnTRxBP2ZabZIVg5XUxK4r4esw=; XSRF-TOKEN=S1ebhvUX0Whm4rIR7qbhVDngqdJKAJ2izc69ErXm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close


HTTP/2 200 OK
Date: Sun, 26 Sep 2021 20:31:05 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Vary: Accept, Accept-Language
Set-Cookie: _SESSION=HEPyaoTjPXxzfyiFA4ABy7zm7AmBFrBMYGJfBkCDwFHVaYD9c+jRSpj2SyBg+MiHSGco6djWEFgPOoLRU7jbyGVGdaU8rbQFbrSeYw9PujmcZDozqWNR11rdYLbZnmNPspl9u+BdSymKf7Mlhg0mB/liqg6qTFG6vpPqnbCQI59h6KAkNIQeSNx0iwI9jEefdu7fdVbcOZRtBIfnneinymELvi++cKHH7p0nfHFDMi4Cg6vEqeG98l9Oh9n7r/g=; Path=/; Expires=Sun, 03-Oct-2021 20:31:05 GMT; HttpOnly
Set-Cookie: XSRF-TOKEN=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: XSRF-TOKEN=S1ebhvUX0Whm4rIR7qbhVDngqdJKAJ2izc69ErXm; Path=/
X-Xss-Protection: 1; mode=block
Cf-Cache-Status: DYNAMIC
Expect-Ct: max-age=604800, report-uri=""
Report-To: {"endpoints":[{"url":"https:\/\/\/report\/v3?s=NEpNnOcmNsvWV4yskn1FCGh9iRv%2BjZ2tv50gQkh4imutN%2B7HMZZDVfxRHTWE2ktSn%2FgjuTqNAPkYXeo6RkOpne5nMy9pYLdGmaYHzA56uQ3jhXmroDO0bdECOB0zmA%3D%3D"}],"group":"cf-nel","max_age":604800}
Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
Cf-Ray: 694f40fb790d697d-BOM
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

if os.environ.get('SECURE_PROXY_SSL_HEADER'):

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 years ago
2 years ago


hi sir can you have a look on report

Jon Schoning validated this vulnerability 2 years ago
0xamal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning marked this as fixed with commit 71938b 2 years ago
Jon Schoning has been awarded the fix bounty
to join this conversation