Scribd Logo
Upload

Welcome to Scribd!

  • Report

    Uploaded by

    prajapati brijesh
    11 views35 pages
    The vulnerability report discusses two issues: 1) Session tokens contained in URLs which could expose them to logging or disclosure. Two instances were found on syndication.twitter.com. 2) A cookie issued by finexbox.com without the secure flag, potentially exposing its contents over HTTP. The cookie may contain a session token. Remediation includes using secure cookies for sensitive data and separate HTTPS session handling.

    Original Description:

    Original Title

    Report.

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The vulnerability report discusses two issues: 1) Session tokens contained in URLs which could expose them to logging or disclosure. Two instances were found on syndication.twitter.com. 2) A cookie issued by finexbox.com without the secure flag, potentially exposing its contents over HTTP. The cookie may contain a session token. Remediation includes using secure cookies for sensitive data and separate HTTPS session handling.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    11 views35 pages

    Report

    Uploaded by

    prajapati brijesh
    The vulnerability report discusses two issues: 1) Session tokens contained in URLs which could expose them to logging or disclosure. Two instances were found on syndication.twitter.com. 2) A cookie issued by finexbox.com without the secure flag, potentially exposing its contents over HTTP. The cookie may contain a session token. Remediation includes using secure cookies for sensitive data and separate HTTPS session handling.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 35

    Vulnerability report

    • Vulnerability Name :

    • Session token in URL


    • TLS cookie without secure flag set
    Session token in URL
    • (1)

    • 3Issue:   Session token in URL


    • Host:   https://syndication.twitter.com
    • Path:   /i/jot
    Issue detail

    • 2 instances of this issue were identified, at the


    following locations:

    • /i/jot
    • /settings
    Path:   /i/jot
    • Issue detail

    • The URL in the request appears to contain a session token within the query string:
    https://syndication.twitter.com/i/jot?l=%7B%22widget_origin%22%3A%22https%3A%2F
    %2Fwww.finexbox.com%2Fmarket%2Fpair%2FXQR-BTC.html%22%2C%22widget_frame
    %22%3Afalse%2C%22widget_site_screen_name%22%3A%22finexbox%22%2C
    %22widget_data_source%22%3A%22profile%3Afinexbox%22%2C%22query%22%3Anull%2C
    %22profile_id%22%3Anull%2C%22_category_%22%3A%22tfw_client_event%22%2C
    %22triggered_on%22%3A1651135046349%2C%22dnt%22%3Afalse%2C%22client_version
    %22%3A%22c8fe9736dd6fb%3A1649830956492%22%2C%22format_version%22%3A1%2C
    %22event_namespace%22%3A%7B%22client%22%3A%22tfw%22%2C%22page%22%3A
    %22timeline%22%2C%22component%22%3A%22timeline%22%2C%22element%22%3A
    %22initial%22%2C%22action%22%3A%22results%22%7D
    %7D&session_id=7169385dcb8ef7d68ba41d911c3c30f1c26052c1
    /settings

    • Issue detail

    • The URL in the request appears to contain a
    session token within the query string:
    https://syndication.twitter.com/settings?
    session_id=7169385dcb8ef7d68ba41d911c3c
    30f1c26052c1
    Issue background

    • Sensitive information within URLs may be logged in


    various locations, including the user's browser, the
    web server, and any forward or reverse proxy
    servers between the two endpoints. URLs may also
    be displayed on-screen, bookmarked or emailed
    around by users. They may be disclosed to third
    parties via the Referer header when any off-site
    links are followed. Placing session tokens into the
    URL increases the risk that they will be captured by
    an attacker.
    Issue remediation

    • Applications should use an alternative


    mechanism for transmitting session tokens,
    such as HTTP cookies or hidden fields in forms
    that are submitted using the POST method.
    inspect
    • Session tokens are unique pieces of
    information shared between the browser and
    the server. They make it possible to track user
    activity and differentiate between users. For
    example, an e-commerce application may use a
    session token to identify the shopping cart that
    belongs to a particular user.

    • an attacker can capture these tokens


    Disclaimer
    • The origins of the information on this site may be internal or external to Progress Software
    Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to
    verify this information. However, the information provided is for your information only.
    Progress Software Corporation makes no explicit or implied claims to the validity of this
    information.

    Any sample code provided on this site is not supported under any Progress support
    program or service. The sample code is provided on an "AS IS" basis. Progress makes no
    warranties, express or implied, and disclaims all implied warranties including, without
    limitation, the implied warranties of merchantability or of fitness for a particular purpose.
    The entire risk arising out of the use or performance of the sample code is borne by the
    user. In no event shall Progress, its employees, or anyone else involved in the creation,
    production, or delivery of the code be liable for any damages whatsoever (including,
    without limitation, damages for loss of business profits, business interruption, loss of
    business information, or other pecuniary loss) arising out of the use of or inability to use
    the sample code, even if Progress has been advised of the possibility of such damages.
    Vulnerability classifications

    • CWE-200: Information Exposure


    • CWE-384: Session Fixation
    • CWE-598: Information Exposure Through
    Query Strings in GET Request
    • CAPEC-593: Session Hijacking
    .

    •POC
    .
    .
    .
    .
    Session token in URL
    • (2)

    • Host:   https://www.linkedin.com
    Issue detail

    • Issue detail

    • 2 instances of this issue were identified, at the


    following locations: /authwall

    • /company/qredit
    Issue background

    • Sensitive information within URLs may be logged in


    various locations, including the user's browser, the
    web server, and any forward or reverse proxy
    servers between the two endpoints. URLs may also
    be displayed on-screen, bookmarked or emailed
    around by users. They may be disclosed to third
    parties via the Referer header when any off-site
    links are followed. Placing session tokens into the
    URL increases the risk that they will be captured by
    an attacker.
    Issue remediation

    • Applications should use an alternative


    mechanism for transmitting session tokens,
    such as HTTP cookies or hidden fields in forms
    that are submitted using the POST method.
    Vulnerability classifications

    • CWE-200: Information Exposure


    • CWE-384: Session Fixation
    • CWE-598: Information Exposure Through Quer
    y Strings in GET Request

    • CAPEC-593: Session Hijacking


    Path:   /authwall
    • Issue detail

    • The URL in the request appears to contain a session token


    within the query string: https://www.linkedin.com/authwall?
    trk=gf&trkInfo=AQGwO9BdZcvS0wAAAYBu_pI4D2_nN-
    2NjcE3ySFQ-
    _QBBt0A02QG8pq19ceY_3DT_aeXojX_KC7Wms_vCb4f10XA
    9B_HiWGP0x4b0wg51FntJZgykf-UENe00hIgU8cG-
    Dy9c5o=&originalReferer=https://www.qredit.io/
    &sessionRedirect=https%3A%2F%2Fwww.linkedin.com
    %2Fcompany%2Fqredit
    Path:   /company/qredit
    • Issue detail

    • The response contains the following links that appear to contain session tokens:
    https://www.linkedin.com/signup/cold-join?session_redirect=https%3A%2F
    %2Fwww%2Elinkedin%2Ecom%2Fcompany
    %2Fqredit&trk=organization_guest_nav-header-join
    • https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
    %2Elinkedin%2Ecom%2Fcompany%2Fqredit&fromSignIn=true&trk=top-card_top-
    card-secondary-button-top-card-secondary-cta
    • https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
    %2Elinkedin%2Ecom%2Fcompany
    %2Fqredit&fromSignIn=true&trk=organization_guest_nav-header-signin
    • https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
    %2Elinkedin%2Ecom%2Fcompany%2Fqredit&fromSignIn=true&trk=top-
    card_ellipsis-menu-sign-in-redirect
    .

    •POC
    /authwall
    /company/qredit
    TLS cookie without secure flag set

    • Issue:   TLS cookie without secure flag set


    • Host:   https://www.finexbox.com
    • Path:   /market/pair/XQR-BTC.html
    Issue detail

    • The following cookie was issued by the application and


    does not have the secure flag set:

    • FBSESSION

    • The cookie appears to contain a session token, which may


    increase the risk associated with this issue. You should
    review the contents of the cookie to determine its function.
    Issue background

    • If the secure flag is set on a cookie, then browsers will not submit the cookie in any
    requests that use an unencrypted HTTP connection, thereby preventing the cookie from
    being trivially intercepted by an attacker monitoring network traffic. If the secure flag is
    not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs
    within the cookie's scope. An attacker may be able to induce this event by feeding a
    user suitable links, either directly or via another web site. Even if the domain that issued
    the cookie does not host any content that is accessed over HTTP, an attacker may be
    able to use links of the form http://example.com:443/ to perform the same attack.
    • To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the
    victim's network traffic. This scenario typically occurs when a client communicates with
    the server over an insecure connection such as public Wi-Fi, or a corporate or home
    network that is shared with a compromised computer. Common defenses such as
    switched networks are not sufficient to prevent this. An attacker situated in the user's
    ISP or the application's hosting infrastructure could also perform this attack. Note that
    an advanced adversary could potentially target any connection made over the Internet's
    core infrastructure.
    Issue remediation
    • Issue remediation
    • The secure flag should be set on all cookies that
    are used for transmitting sensitive data when
    accessing content over HTTPS. If cookies are used
    to transmit session tokens, then areas of the
    application that are accessed over HTTPS should
    employ their own session handling mechanism,
    and the session tokens used should never be
    transmitted over unencrypted communications.
    Vulnerability classifications

    • CWE-614
    : Sensitive Cookie in HTTPS Session Without 'S
    ecure' Attribute
    inpect
    • If the secure flag is not set, then the cookie
    will be transmitted in clear-text if the user
    visits any HTTP URLs within the cookie's
    scope. An attacker may be able to induce this
    event by feeding a user suitable links, either
    directly or via another web site.
    How to fix this vulnerability

    • If possible, you should set the Secure flag for


    this cookie
    .

    •POC
    .
    Have a nice day! Waiting for your positive
    reply.

    • Have a nice day! Waiting for your positive reply.

    • Thanks and Regards,


    • lemon_in_the_spoon

    You might also like