Sensitive Cookie Without 'HttpOnly' Flag in babybuddy/babybuddy

Valid

Reported on

Sep 15th 2021

Description

HttpOnly flag not mentioned

Proof of Concept

step to reproduce 

below show request 

GET /login/?next=/google.com HTTP/1.1
Host: demo.baby-buddy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.baby-buddy.net/children/christina-jones/edit/
Connection: close
Cookie: csrftoken=us1ARk8H1caeSNYnNrSSqT56dYxWmhOgDTEavzHKLhb8ywlisYJBMm3MxTrDBv42
Upgrade-Insecure-Requests: 1

below show response not mentioned with flag

HTTP/1.1 200 OK
Connection: close
Server: gunicorn
Date: Wed, 15 Sep 2021 14:21:42 GMT
Content-Type: text/html; charset=utf-8
Expires: Wed, 15 Sep 2021 14:21:42 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Vary: Cookie, Accept-Language
X-Frame-Options: DENY
Content-Length: 3457
Content-Language: en
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: csrftoken=us1ARk8H1caeSNYnNrSSqT56dYxWmhOgDTEavzHKLhb8ywlisYJBMm3MxTrDBv42; expires=Wed, 14 Sep 2022 14:21:42 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Via: 1.1 vegur

Poc image attached 

https://ibb.co/ZB4bpG2

Impact

will help vulnerabilities like xss to steal cookies

####💥solution SESSION_COOKIE_HTTPONLY = True

References

https://owasp.org/www-community/HttpOnly

We have contacted a member of the babybuddy team and are waiting to hear back 2 years ago

Christopher Charbonneau Wells validated this vulnerability 2 years ago

@0xAmal has been awarded the disclosure bounty

The fix bounty is now up for grabs

Christopher Charbonneau Wells marked this as fixed with commit c8d489 2 years ago

Christopher Charbonneau Wells has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation