Missing HttpOnly Attribute in Session Cookie
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Affected URL: https:/
Entity: csrftoken (Cookie)
Risk: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user.
Causes: The web application sets session cookies without the HttpOnly attribute
Recommend Fix: Add the 'HttpOnly' attribute to all session cookies.
The Test Requests and Responses:
GET /admin/ HTTP/1.1
Host: 9.5.29.52
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,
Accept-Language: en-US,en;q=0.5
Referer: https:/
Cookie: csrftoken=
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 12 Sep 2014 07:52:50 GMT
Server: Apache
Vary: Accept-
X-Frame-Options: SAMEORIGIN
Content-Language: en
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
2014/9/12 504
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: csrftoken=
Set-Cookie: sessionid=
<!DOCTYPE html>
<html>
<head>
<meta content='text/html; charset=utf-8' http-equiv=
<title>Usage Overview - Cloud Management Dashboard</title>
<!--
Copyright 2014 *** Corp.
-->
<link rel="stylesheet" href="/
<link rel="shortcut icon" href="/
<!--
Fix header padding issue in IE < 10
-->
<!--[if lt IE 10 ]>
<style>
.topbar {
padding-bottom: 0px;
}
</style>
<![endif]-->
<script type="text/
<script type="text/
/*
Added so that we can append Horizon scoped JS events to
the DOM load events without running in to the "horizon"
name-space not currently being defined since we load the
scripts at the bottom of the page.
*/
var addHorizonLoadEvent = function(func) {
var old_onload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
old_onload();
func();
}
}
}
</script>
</head>
<body id="" ng-app='hz'>
<div id="container">
<div class='topbar'>
<!--
Copyright 2014 ***Corp.
-->
<h1 class="brand"><a href="/home/">Cloud Management Dashboard</a></h1>
<div id="user_info" class="pull-right">
<div id="tenant_
<div>admin</div>
</div>
<div id="profile_
<a class="
<div>admin</div>
</a>
<ul id="editor_list" class="
<li class='
<li><a href="/
2014/9/12 505
TOC
<li><a href="http://
<li><a href="/
</ul>
</div>
<img class="brand_icon" src="/static/
</div>
</div>
<div id='main_content'>
<div class="messages">
</div>
<div class='sidebar'>
<div>
<dl class="
<dt >
<div>Project</div>
</dt>
<dd style="
<div><h4>
<ul>
<li><a href="/project/" tabindex="1" >Overview</a></li>
<li><a href="/
<li><a href="/
<li><a href="/
<li><a href="/
</ul>
</div>
<div><h4>
<ul>
<li><a href="/
<li><a href="/
<li><a href="/
</ul>
</div>
<div><h4>
<ul>
<li><a href="/
</ul>
</div>
...
...
...
description: | updated |
tags: | added: security |
Changed in horizon: | |
status: | New → Confirmed |
As far as I can tell in master right now SESSION_ COOKIE_ HTTPONLY = True which should add httponly to all session cookies.