Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in erudika/para

Valid

Reported on

Jul 14th 2022

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Proof of Concept

Link: https://postimg.cc/1nBBXZr5

Remediation

If possible, you should set the Secure flag for these cookies.

Impact

When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. This is an important security protection for session cookies. The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

We are processing your report and will contact the erudika/para team within 24 hours. 10 months ago
We have contacted a member of the erudika/para team and are waiting to hear back 10 months ago
Alex Bogdanovski validated this vulnerability 10 months ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
7h3h4ckv157
10 months ago

Researcher

The cookie (para-auth) is yet not fixed. Once the case is solved, are you happy to assign a CVE for this one?? @maintainer @admin

Similar cases:

https://nvd.nist.gov/vuln/detail/CVE-2021-40642 https://www.cve.org/CVERecord?id=CVE-2021-35236

Alex Bogdanovski marked this as fixed in 1.46.2 with commit 02ee9e 10 months ago
Alex Bogdanovski has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation