Professional Documents
Culture Documents
Report
Report
• Vulnerability Name :
• /i/jot
• /settings
Path: /i/jot
• Issue detail
• The URL in the request appears to contain a session token within the query string:
https://syndication.twitter.com/i/jot?l=%7B%22widget_origin%22%3A%22https%3A%2F
%2Fwww.finexbox.com%2Fmarket%2Fpair%2FXQR-BTC.html%22%2C%22widget_frame
%22%3Afalse%2C%22widget_site_screen_name%22%3A%22finexbox%22%2C
%22widget_data_source%22%3A%22profile%3Afinexbox%22%2C%22query%22%3Anull%2C
%22profile_id%22%3Anull%2C%22_category_%22%3A%22tfw_client_event%22%2C
%22triggered_on%22%3A1651135046349%2C%22dnt%22%3Afalse%2C%22client_version
%22%3A%22c8fe9736dd6fb%3A1649830956492%22%2C%22format_version%22%3A1%2C
%22event_namespace%22%3A%7B%22client%22%3A%22tfw%22%2C%22page%22%3A
%22timeline%22%2C%22component%22%3A%22timeline%22%2C%22element%22%3A
%22initial%22%2C%22action%22%3A%22results%22%7D
%7D&session_id=7169385dcb8ef7d68ba41d911c3c30f1c26052c1
/settings
• Issue detail
•
• The URL in the request appears to contain a
session token within the query string:
https://syndication.twitter.com/settings?
session_id=7169385dcb8ef7d68ba41d911c3c
30f1c26052c1
Issue background
Any sample code provided on this site is not supported under any Progress support
program or service. The sample code is provided on an "AS IS" basis. Progress makes no
warranties, express or implied, and disclaims all implied warranties including, without
limitation, the implied warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample code is borne by the
user. In no event shall Progress, its employees, or anyone else involved in the creation,
production, or delivery of the code be liable for any damages whatsoever (including,
without limitation, damages for loss of business profits, business interruption, loss of
business information, or other pecuniary loss) arising out of the use of or inability to use
the sample code, even if Progress has been advised of the possibility of such damages.
Vulnerability classifications
•POC
.
.
.
.
Session token in URL
• (2)
• Host: https://www.linkedin.com
Issue detail
• Issue detail
• /company/qredit
Issue background
• The response contains the following links that appear to contain session tokens:
https://www.linkedin.com/signup/cold-join?session_redirect=https%3A%2F
%2Fwww%2Elinkedin%2Ecom%2Fcompany
%2Fqredit&trk=organization_guest_nav-header-join
• https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
%2Elinkedin%2Ecom%2Fcompany%2Fqredit&fromSignIn=true&trk=top-card_top-
card-secondary-button-top-card-secondary-cta
• https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
%2Elinkedin%2Ecom%2Fcompany
%2Fqredit&fromSignIn=true&trk=organization_guest_nav-header-signin
• https://www.linkedin.com/login?session_redirect=https%3A%2F%2Fwww
%2Elinkedin%2Ecom%2Fcompany%2Fqredit&fromSignIn=true&trk=top-
card_ellipsis-menu-sign-in-redirect
.
•POC
/authwall
/company/qredit
TLS cookie without secure flag set
• FBSESSION
• If the secure flag is set on a cookie, then browsers will not submit the cookie in any
requests that use an unencrypted HTTP connection, thereby preventing the cookie from
being trivially intercepted by an attacker monitoring network traffic. If the secure flag is
not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs
within the cookie's scope. An attacker may be able to induce this event by feeding a
user suitable links, either directly or via another web site. Even if the domain that issued
the cookie does not host any content that is accessed over HTTP, an attacker may be
able to use links of the form http://example.com:443/ to perform the same attack.
• To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the
victim's network traffic. This scenario typically occurs when a client communicates with
the server over an insecure connection such as public Wi-Fi, or a corporate or home
network that is shared with a compromised computer. Common defenses such as
switched networks are not sufficient to prevent this. An attacker situated in the user's
ISP or the application's hosting infrastructure could also perform this attack. Note that
an advanced adversary could potentially target any connection made over the Internet's
core infrastructure.
Issue remediation
• Issue remediation
• The secure flag should be set on all cookies that
are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used
to transmit session tokens, then areas of the
application that are accessed over HTTPS should
employ their own session handling mechanism,
and the session tokens used should never be
transmitted over unencrypted communications.
Vulnerability classifications
• CWE-614
: Sensitive Cookie in HTTPS Session Without 'S
ecure' Attribute
inpect
• If the secure flag is not set, then the cookie
will be transmitted in clear-text if the user
visits any HTTP URLs within the cookie's
scope. An attacker may be able to induce this
event by feeding a user suitable links, either
directly or via another web site.
How to fix this vulnerability
•POC
.
Have a nice day! Waiting for your positive
reply.