Server: secure cookie fails penetration tests
Steps to reproduce
1.test SSL nextcloud server at https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run
2.getting medium security due secure cookie not implemented
- nextcloud is running under dedicated domain, not subdomain.
Expected behaviour
Penetration test to pass as SameSiteCookieMiddleware.php seems to handle request
Actual behaviour
sending cookies via http without secure flag in https.
More details : https://help.nextcloud.com/t/secure-cookie-implementation/21854/3
Server configuration
Operating system: Debian 9 Stretch
Web server: nginx/1.10.3
Database: MariaDB 10.2
PHP version: 7.0
Nextcloud version: (see Nextcloud admin page) 12.0.3
mzeyrek
All 8 comments
@LukasReschke
rullzer
on 5 Oct 2017
Openvas also produces a medium warning with this content for an instance not running in a subdirectory:
Summary The host is running a server with SSL/TLS and is prone to information disclosure vulnerability. Vulnerability Detection Result The cookies: Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly are missing the āsecureā attribute. Solution Solution type: Mitigation Mitigation Set the āsecureā attribute for any cookies that are sent over a SSL/TLS connection. Affected Software/OS Server with SSL/TLS. Vulnerability Insight The flaw is due to cookie is not using āsecureā attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks. Impact Level: Application Vulnerability Detection Method Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661) Version used: $Revision: 5543 $ References Other: https://www.owasp.org/index.php/SecureFlag2 http://www.ietf.org/rfc/rfc2965.txt https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)
e-alfred
on 5 Oct 2017
The secure flag is applied as soon as you log-in. There's not really a security issue here thus.
LukasReschke
on 5 Oct 2017
Unfortunately this does not seem to be true, @LukasReschke.
I've double checked with Firefox' "Storage" inspector and all cookies are marked as "Secure: false".
jomo
on 19 Nov 2018
@jomo did you by any chance first access the site via plain http?
I can't trigger this otherwise.
rullzer
on 20 Nov 2018
That comment pointed me in the right direction. TLS termination is done by nginx, I should have thought of thatā¦
I had to add this to the config.php:
'overwriteprotocol' => 'https'
Can confirm it's working now, thanks!
jomo
on 20 Nov 2018
In fact, the cookies are sent as secure even before login.
See observatory.mozilla.org report:
Guess this issue can be closed?
jomo
on 20 Nov 2018
I just had to do this for my docker nextcloud setup. At least in my case (and I'm assuming for others too), tls is done by the nginx docker container. As a result, this test as well as the __host prefix test on scan.nextcloud.com were failing. I suppose this should be addressed on the docker-nextcloud repo as well.
pgera
on 13 Jan 2019
Related issues
Django-BOfH
Ā·
3Comments
ChristophWurst
Ā·
3Comments
ghost
Ā·
3Comments
MorrisJobke
Ā·
3Comments
dl5rcw
Ā·
3Comments
Most helpful comment
That comment pointed me in the right direction. TLS termination is done by nginx, I should have thought of thatā¦
I had to add this to the
config.php:Can confirm it's working now, thanks!