Menu
▾
▴
[webmin-l] Security scan result: Missing `httpOnly` Cookie Attribute and Missing `secure` Cookie Attribute
|
From: Clement O. <c.o...@wo...> - 2019-03-13 10:23:44
|
Urgent help please! Greenbone vulnerability scan on our Debian server running Webmin reports the following: 1. Missing `httpOnly` Cookie Attribute<https://10.100.31.5/omp?cmd=get_result&result_id=4d6345bd-8d7e-4ba6-ae18-769834e3f5ec&apply_overrides=&min_qod=&task_id=&name=&report_id=05065e21-f79e-493b-864d-12d7143ba44b&filter=&filt_id=&overrides=&autofp=&report_result_id=4d6345bd-8d7e-4ba6-ae18-769834e3f5ec&token=f208ee5a-44be-11e9-861e-0010f3466dc6> 2. SSL/TLS: Missing `secure` Cookie Attribute<https://10.100.31.5/omp?cmd=get_result&result_id=db6c30bb-c8fe-46b4-8471-2456ee65a4b2&apply_overrides=&min_qod=&task_id=&name=&report_id=05065e21-f79e-493b-864d-12d7143ba44b&filter=&filt_id=&overrides=&autofp=&report_result_id=db6c30bb-c8fe-46b4-8471-2456ee65a4b2&token=f208ee5a-44be-11e9-861e-0010f3466dc6> Details for Missing `httpOnly` Cookie Attribute<https://10.100.31.5/omp?cmd=get_result&result_id=4d6345bd-8d7e-4ba6-ae18-769834e3f5ec&apply_overrides=&min_qod=&task_id=&name=&report_id=05065e21-f79e-493b-864d-12d7143ba44b&filter=&filt_id=&overrides=&autofp=&report_result_id=4d6345bd-8d7e-4ba6-ae18-769834e3f5ec&token=f208ee5a-44be-11e9-861e-0010f3466dc6> below Summary The application is missing the 'httpOnly' cookie attribute Vulnerability Detection Result The cookies: Set-Cookie: redirect=***replaced***; path=/ Set-Cookie: testing=***replaced***; path=/; secure are missing the "httpOnly" attribute. Solution Solution type: [Mitigation] Mitigation Set the 'httpOnly' attribute for any session cookie. Affected Software/OS Application with session handling in cookies. Vulnerability Insight The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks. Can someone please help with any idea about how to fix this: Best Regards Clement |
