Cleartext Transmission Of Session Token

Cleartext Transmission of Session Token

Overview of the Vulnerability

Session tokens help a server trust that the requests it is receiving come from a specific authenticated user. When a session token is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. This application transmits the session token via a cleartext transmission which can allow an attacker to access the session token via a PitM attack and send requests to the server pretending to be the legitimate user.

Business Impact

This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft through the attacker’s ability to manipulate data through their ability to make requests to the server through a legitimate session token. However, the attacker is limited by the legitimate user’s privileges within the application/

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. View the HTTP headers using an HTTP interception proxy

4. Observe the Secure flag is not set

5. Observe that cookies are sent in cleartext

Proof of Concept (PoC)

The screenshots below show the session token being transmitted via cleartext:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature. For a cleartext transmission vulnerability, please include a simple URL that can be executed to easily demonstrate and reproduce the issue.

Attempt to perform additional actions using the provided session token (such as cookie-based XSS). If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

The session token should be sent over an encrypted channel (HTTPS) at all times.

Additionally, it is best practice to enforce short session expiration times for all user sessions. This allows an attacker less time to use a valid session ID. However, session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.

For further information, please see:

• https://cwe.mitre.org/data/definitions/319.html

• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#secure-attribute