Hello,
I am trying to debug a problem with an OpenVAS scan showing this alert :
Medium (CVSS: 5.0)
NVT: Missing httpOnly Cookie Attribute
The cookies:
Set-Cookie: PHPSESSID=b093d474b2a3f60b27ee8e55327e2736; path=/
are missing the httpOnly attribute.
OID of test routine: 1.3.6.1.4.1.25623.1.0.105925
References
Other:
URL:https://www.owasp.org/index.php/HttpOnly
URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)
I checked the reported site using curl, and it seems the site sends 2
cookies :
< Set-Cookie: PHPSESSID=e9129fb048df6e6bdfc141836a384085; path=/;
secure; HttpOnly
< Set-Cookie: cookie_test=1419950532
According to curl, the PHPSESSID cookie has the httpOnly attribute set,
while the cookie_test doesn't, so it seems that the plugin's output is
wrong.
I traced the warning message back to the
gb_missing_httponly_cookie_attribute.nasl plugin, and tried to run it
manually with the command :
/usr/bin/openvas-nasl -X -t <IP> -i /var/lib/openvas/plugins
/var/lib/openvas/plugins/2014/gb_missing_httponly_cookie_attribute.nasl
The script gives no output, I'm assuming the security_message() function
is not interpreted when ran from command line, or should it display the
warning ?
The site listens on port 443, so I tried to change this line in the
script, as I found no way to set this value on the command line :
#port = get_http_port( default:80 );
port = get_http_port( default:443 );
The script still gives no output, and nothing is written to the OpenVAS
log. The NASL language seems to lack any instruction to generate output,
so I don't know how to troubleshoot this further ?
I've pasted the full nasl script to the end of this message.
By the way, I tried to lookup the OID 1.3.6.1.4.1.25623.1.0.105925 on
http://www.openvas.org/openvas-nvt-feed.html but it says "NVT not found"...
Thanks in advance for your help.
Sylvain Faivre
# cat
/var/lib/openvas/plugins/2014/gb_missing_httponly_cookie_attribute.nasl
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_missing_httponly_cookie_attribute.nasl 809 2014-11-17
12:12:28Z mime $
# Description:
# Missing httpOnly Cookie Attribute
#
# Authors:
# Christian Fischer <[email protected]>
#
# Copyright:
# Copyright (c) 2014 SCHUTZWERK GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.105925");
script_version("$Revision: 809 $");
script_tag(name:"last_modification", value:"$Date: 2014-11-17
13:12:28 +0100 (Mon, 17 Nov 2014) $");
script_tag(name:"creation_date", value:"2014-09-01 16:00:00 +0100
(Mon, 01 Sep 2014)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_name("Missing httpOnly Cookie Attribute");
script_summary("Check if the httpOnly cookie attribute is set");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2014 SCHUTZWERK GmbH");
script_family("Web application abuses");
script_require_ports("Services/www", 80);
script_tag(name : "summary" , value : "The application is missing the
'httpOnly' cookie attribute");
script_tag(name : "vuldetect" , value : "Check all cookies sent by
the application for a missing 'httpOnly' attribute");
script_tag(name : "insight" , value : "The flaw is due to a cookie is
not using the 'httpOnly' attribute. This
allows a cookie to be accessed by JavaScript which could lead to
session hijacking attacks.");
script_tag(name : "impact" , value : "Application");
script_tag(name : "affected" , value : "Application with session
handling in cookies.");
script_tag(name : "solution" , value : "Set the 'httpOnly' attribute
for any session cookies.");
script_xref(name : "URL" , value :
"https://www.owasp.org/index.php/HttpOnly";);
script_xref(name : "URL" , value :
"https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
print ("toto");
port = get_http_port( default:80 );
if( ! get_port_state( port ) ) exit( 0 );
print ("tata");
req = http_get( item:"/", port:port );
buf = http_send_recv( port:port, data:req, bodyonly:FALSE );
if( buf && "Set-Cookie:" >< buf )
{
cookies = egrep( string:buf, pattern:"Set-Cookie:.*" );
if( cookies )
{
Lst = split( cookies, sep:'\n', keep:0 );
vuln = 0;
for( i = 0; i < max_index( Lst ); i++ )
{
if( !( Lst[i] =~ ";[ ]?[H|h]ttp[O|o]nly?[^a-zA-Z0-9_-]?" ) )
{
vuln = 1;
vulnCookies = vulnCookies + Lst[i] + '\n';
}
}
if( vuln )
{
report = 'The cookies:\n\n' + vulnCookies + '\nare missing the
httpOnly attribute.';
security_message( port:port, data:report );
exit( 0 );
}
}
}
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
