Cookie without Secure attribute in pyload/pyload
Reported on
Jan 3rd 2023
Description
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Proof of Concept
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 107
Vary: Accept-Encoding
Set-Cookie: pyload_session=28d0985f-aea1-490b-9954-866be697d8ad; Expires=Fri, 03 Feb 2023 05:47:17 GMT; HttpOnly; Path=/; SameSite=Lax
Connection: close
Date: Tue, 03 Jan 2023 05:47:17 GMT
Server: Cheroot/8.6.0
Impact
User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.