Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebSession: HttpOnly cookie attribute #3064

Closed
tiborsimko opened this issue Apr 28, 2015 · 0 comments
Closed

WebSession: HttpOnly cookie attribute #3064

tiborsimko opened this issue Apr 28, 2015 · 0 comments
Assignees
@tiborsimko
Labels
Branch: maint-1.0 Component: WebSession Type: enhancement
Milestone
v1.0.9

Comments

@tiborsimko
Copy link
Member

Issue

NVT: Missing httpOnly Cookie Attribute
OID: 1.3.6.1.4.1.25623.1.0.105925
Threat: Medium (CVSS: 5.0)
Port: 80/tcp

Summary:
The application is missing the 'httpOnly' cookie attribute

Vulnerability Detection Result:
The cookies:
Set-Cookie: INVENIOSESSIONstub=NO; path=/
Set-Cookie: INVENIOSESSION=4432f39a12d25fd882509fec4bdd92d5; path=/ are mis
@tiborsimko tiborsimko self-assigned this Apr 28, 2015
@tiborsimko tiborsimko added this to the v1.0.x milestone Apr 28, 2015
tiborsimko added a commit to tiborsimko/invenio that referenced this issue Apr 28, 2015
@tiborsimko
WebStyle: HttpOnly cookie attribute
1203c5c 
* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
@tiborsimko tiborsimko mentioned this issue Apr 28, 2015
Merged
tiborsimko added a commit to tiborsimko/invenio that referenced this issue Apr 28, 2015
@tiborsimko
WebStyle: HttpOnly cookie attribute
e83f600 
* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Samuele Kaplun <[email protected]>
tiborsimko added a commit to tiborsimko/invenio that referenced this issue May 12, 2015
@tiborsimko
WebSession: HttpOnly attribute in stub cookies
d0a2242 
* Adds HttpOnly attribute to stub cookies as well.  (addresses inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Lars Holm Nielsen <[email protected]>
@tiborsimko tiborsimko mentioned this issue May 12, 2015
Merged
tiborsimko added a commit to inspirehep/invenio that referenced this issue May 13, 2015
@tiborsimko @kaplun
WebStyle: HttpOnly cookie attribute
9be8ce2 
* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Samuele Kaplun <[email protected]>

Conflicts:
	modules/websession/lib/session.py
	modules/webstyle/lib/webinterface_handler_wsgi_utils.py
tiborsimko added a commit to inspirehep/invenio that referenced this issue May 15, 2015
@tiborsimko @kaplun
WebStyle: HttpOnly cookie attribute
54965e9 
* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Samuele Kaplun <[email protected]>

Conflicts:
	modules/websession/lib/session.py
	modules/webstyle/lib/webinterface_handler_wsgi_utils.py
Dziolas pushed a commit to SCOAP3/invenio that referenced this issue Jun 5, 2015
@tiborsimko
WebStyle: HttpOnly cookie attribute
951e2ce 
* SECURITY Adds back the `HttpOnly` cookie attribute in order to better
  protect against potential XSS vulnerabilities.  (closes inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Samuele Kaplun <[email protected]>

Conflicts:
	modules/websession/lib/session.py
	modules/webstyle/lib/webinterface_handler_wsgi_utils.py
Dziolas pushed a commit to SCOAP3/invenio that referenced this issue Jun 5, 2015
@tiborsimko
WebSession: HttpOnly attribute in stub cookies
bb7b779 
* Adds HttpOnly attribute to stub cookies as well.  (addresses inveniosoftware#3064)

Signed-off-by: Tibor Simko <[email protected]>
Reviewed-by: Lars Holm Nielsen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tiborsimko tiborsimko

Labels
Branch: maint-1.0 Component: WebSession Type: enhancement
Projects
None yet
Milestone
v1.0.9
Development

No branches or pull requests
1 participant
@tiborsimko