[WT-12637] [Security] ZAP Scan Issue : Cookie No HttpOnly Flag - Workterra Jira

Details

Type: Bug
Status: In Development
Priority: Low
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Environment:

Production
Bug Severity:
Low
Level:

Admin, Employee, Partner
Module:
BenAdmin - Security
Reported by:
Harbinger
Company:
All Clients/Multiple Clients
Item State:
Development - In Analysis

Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

For more details please refer attached HTML report

CC Samir Rakesh Roy Jaideep Vinchurkar anirudha joshi
SearchEmp_Spider.html

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

EnrollNowWithPartnerLogin.html
48 kB
05/Dec/17 06:36 AM
SearchEmp_Spider.html
48 kB
05/Dec/17 06:09 AM
StaticReport_Spider.html
53 kB
05/Dec/17 06:35 AM

Issue Links

relates to

NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.

To Do

Activity

Ascending order - Click to sort in descending order

Prasad Pise (Inactive) created issue - 05/Dec/17 06:09 AM

Prasad Pise (Inactive) made changes - 05/Dec/17 06:10 AM

Field	Original Value	New Value
Link		This issue relates to NF-2714 [ NF-2714 ]

Prasad Pise (Inactive) made changes - 05/Dec/17 06:35 AM

Attachment

StaticReport_Spider.html [ 69272 ]

Prasad Pise (Inactive) made changes - 05/Dec/17 06:36 AM

Attachment

EnrollNowWithPartnerLogin.html [ 69273 ]

Santosh Balid (Inactive) made changes - 11/Dec/17 11:36 AM

Status

Open [ 1 ]

In Development [ 10007 ]

Hide

Permalink

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:37 AM

Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.

Show

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:37 AM Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.

Santosh Balid (Inactive) made changes - 11/Dec/17 11:37 AM

Item State

Parent values: Development(10200)Level 1 values: On Hold(10207)

Hide

Permalink

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:38 AM

This Will be on-hold till we do not plan it for development in upcoming sprint.

Cc: Jaideep Vinchurkar

Show

Santosh Balid (Inactive) added a comment - 11/Dec/17 11:38 AM This Will be on-hold till we do not plan it for development in upcoming sprint. Cc: Jaideep Vinchurkar

Hide

Permalink

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:25 PM

Please plan it in future sprints.

Cc : Satya, Jaideep Vinchurkar, Bharti Satpute

Show

Santosh Balid (Inactive) added a comment - 16/Jan/18 01:25 PM Please plan it in future sprints. Cc : Satya , Jaideep Vinchurkar , Bharti Satpute

Santosh Balid (Inactive) made changes - 16/Jan/18 01:25 PM

Assignee

Santosh Balid [ santosh.balid ]

Gaurav Sodani [ gaurav.sodani ]

Permalink

Santosh Balid (Inactive) logged work - 28/Feb/18 02:11 PM

Time Spent:

3.5h

<No comment>

Santosh Balid (Inactive) made changes - 28/Feb/18 02:11 PM

Remaining Estimate		0h [ 0 ]
Time Spent		3.5h [ 12600 ]
Worklog Id		106728 [ 106728 ]

Santosh Balid (Inactive) made changes - 28/Feb/18 02:11 PM

Item State

Parent values: Development(10200)Level 1 values: On Hold(10207)

Parent values: Development(10200)Level 1 values: In Analysis(10204)

Permalink

Santosh Balid (Inactive) logged work - 01/Mar/18 01:27 PM

Time Spent:

4h

<No comment>

Santosh Balid (Inactive) made changes - 09/Mar/18 01:28 PM

Time Spent	3.5h [ 12600 ]	7.5h [ 27000 ]
Worklog Id		107676 [ 107676 ]

Vijayendra Shinde (Inactive) made changes - 04/Apr/18 05:17 AM

Assignee

Gaurav Sodani [ gaurav.sodani ]

Vijayendra Shinde [ ID10506 ]

Vijayendra Shinde (Inactive) made changes - 15/Dec/20 02:40 AM

Link

This issue relates to DEV-13718 [ DEV-13718 ]

Transition	Time In Source Status	Execution Times

Santosh Balid (Inactive) made transition - 11/Dec/17 11:36 AM

Open

In Development

6d 5h 27m

People

Assignee:: Vijayendra Shinde (Inactive)

Reporter:: Prasad Pise (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Dec/17 06:09 AM

Updated:: 15/Dec/20 02:40 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

7.5h