Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
https://cwe.mitre.org/data/definitions/614.html →Open in CWE collection →Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
https://capec.mitre.org/data/definitions/102.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| rdiffweb | Tracked | |
| rdiffweb | * | Tracked |