Secure cookie implementation

mzeyrek · October 3, 2017, 8:15pm

Did a quick penetration test over https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run for my locally hosted nextcloud server and recieved as medium-secure server result due secure cookies were not enabled )risk description bottom). Are there any plans to implement secure cookies or we need to that at web server level ?

There is a nice article at https://www.tunetheweb.com/security/http-security-headers/secure-cookies/ how to implement web-server while i was wondering if there are any future implementations on roadmap that might conflict with webserver config.

Risk description:
Since the Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker will intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim’s web session.

Recommendation:
We recommend reconfiguring the web server in order to set the flag(s) Secure to all sensitive cookies.

More information about this issue:
https://blog.dareboost.com/en/2016/12/secure-cookies-secure-httponly-flags/.

alfred · October 4, 2017, 9:35am

Openvas also complains about that and gives a “medium” warning:

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Vulnerability Detection Result

The cookies:

Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly

are missing the “secure” attribute.

Solution

Solution type: Mitigation Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.
Affected Software/OS

Server with SSL/TLS.
Vulnerability Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Impact Level: Application
Vulnerability Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 5543 $

References

Other:
https://www.owasp.org/index.php/SecureFlag
http://www.ietf.org/rfc/rfc2965.txt
Testing for cookies attributes (OTG-SESS-002) - OWASP

mzeyrek · October 4, 2017, 7:07pm

SameSiteCookieMiddleware.php that implements this feature but somehow not working for me.

	protected function setSameSiteCookie() {
		$cookieParams = $this->request->getCookieParams();
		$secureCookie = ($cookieParams['secure'] === true) ? 'secure; ' : '';
		$policies = [
			'lax',
			'strict',
		];
		// Append __Host to the cookie if it meets the requirements
		$cookiePrefix = '';
		if($cookieParams['secure'] === true && $cookieParams['path'] === '/') {
			$cookiePrefix = '__Host-';
		}

MichaIng · October 4, 2017, 8:43pm

I thought this was implemented as well as _host flag if nc is not in sub dir.

Did this issue found it’s way to github to get quick dev attention?

mzeyrek · October 4, 2017, 8:57pm

i have a dedicated domain and not running in any subdomain or subidr.
Thanks for github suggestion, i’ve just raised as an issue there

tflidd · October 5, 2017, 6:51am

ref: https://github.com/nextcloud/server/issues/6767