Sensitive Cookie Without 'HttpOnly' Flag in babybuddy/babybuddy


Reported on

Sep 15th 2021


HttpOnly flag not mentioned

Proof of Concept

step to reproduce 

below show request 

GET /login/?next=/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=us1ARk8H1caeSNYnNrSSqT56dYxWmhOgDTEavzHKLhb8ywlisYJBMm3MxTrDBv42
Upgrade-Insecure-Requests: 1

below show response not mentioned with flag

HTTP/1.1 200 OK
Connection: close
Server: gunicorn
Date: Wed, 15 Sep 2021 14:21:42 GMT
Content-Type: text/html; charset=utf-8
Expires: Wed, 15 Sep 2021 14:21:42 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Vary: Cookie, Accept-Language
X-Frame-Options: DENY
Content-Length: 3457
Content-Language: en
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: csrftoken=us1ARk8H1caeSNYnNrSSqT56dYxWmhOgDTEavzHKLhb8ywlisYJBMm3MxTrDBv42; expires=Wed, 14 Sep 2022 14:21:42 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Via: 1.1 vegur

Poc image attached


will help vulnerabilities like xss to steal cookies

####đŸ’¥solution SESSION_COOKIE_HTTPONLY = True

We have contacted a member of the babybuddy team and are waiting to hear back 2 years ago
Christopher Charbonneau Wells validated this vulnerability 2 years ago
@0xAmal has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit c8d489 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation