[WT-12637] [Security] ZAP Scan Issue : Cookie No HttpOnly Flag - Workterra Jira

Details

Type: Bug
Status: In Development
Priority: Low
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Environment:

Production
Bug Severity:
Low
Level:

Admin, Employee, Partner
Module:
BenAdmin - Security
Reported by:
Harbinger
Company:
All Clients/Multiple Clients
Item State:
Development - In Analysis

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

For more details please refer attached HTML report

CC Samir Rakesh Roy Jaideep Vinchurkar anirudha joshi
SearchEmp_Spider.html

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

EnrollNowWithPartnerLogin.html
48 kB
05/Dec/17 06:36 AM
SearchEmp_Spider.html
48 kB
05/Dec/17 06:09 AM
StaticReport_Spider.html
53 kB
05/Dec/17 06:35 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:37 AM

Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.

Show

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:37 AM Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.

Hide

Permalink

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:38 AM

This Will be on-hold till we do not plan it for development in upcoming sprint.

Cc: Jaideep Vinchurkar

Show

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:38 AM This Will be on-hold till we do not plan it for development in upcoming sprint. Cc: Jaideep Vinchurkar

Hide

Permalink

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:25 PM

Please plan it in future sprints.

Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

Show

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:25 PM Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

People

Assignee:: Vijayendra Shinde (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Dec/17 06:09 AM

Updated:: 15/Dec/20 02:40 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

7.5h