Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: 3.5.1
    • Fix Version/s: 4.4.0
    • Component/s: None
    • Labels:
      None

      Description

      From the ticket opened by a customer:

      <description>
      The application web server does not set the Secure attribute when generating certain application cookies. Without the Secure flag set, the web server will transmit the cookie in clear text if the application is accessible over an unencrypted channel. Consequently, an attacker can view any sensitive data in the cookie and gain unauthorized access to the application by hijacking a user’s session.
      The following cookies were generated without the Secure attribute set.
      art-page

      This finding was discovered on the following application pages.
      /artifactory/webapp/bintraysearch.html
      /artifactory/webapp/browserepo.html
      </description>

      Here's a couple of links describing the nature of the secure attribute/flag:
      https://www.owasp.org/index.php/SecureFlag
      http://resources.infosecinstitute.com/securing-cookies-httponly-secure-flags/

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                gidis Gidi Shabat
                Reporter:
                justing Justin Gries (Inactive)
                Assigned QA:
                Anastasiya Muntyan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: