Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSp1d3rsH1:723090
HistoryOct 26, 2019 - 1:04 a.m.

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] HTTPOnly session cookie exposure on the /csstest endpoint

2019-10-2601:04:23
sp1d3rs
hackerone.com
$1500
2

AI Score

6.4

Confidence

High

JSON

##Description
We were able to identify endpoint which prints request headers into the page. This included sensitive HTTPOnly session cookies which shouldn’t be accessible in the DOM.

##POC
https://█████████/csstest
███████
There will be JSESSIONID cookie reflected.

##Suggested fix
Remove the page, it’s content, or restrict access to it.

Impact

This in combination with any XSS attack will result in session cookie steal and likely authentication bypass (by default this isn’t possible because XSS can’t access HTTPOnly cookies), since attacker can request /csstest page with XSS and read the response.
We will try to find one and chain the vulns together.

AI Score

6.4

Confidence

High

JSON