Comments (8)
I'm going to go ahead and close this off as I feel the goal here is to dismiss a warning in an automated scanner, rather to consider the context, risk and actual security implications.
If you believe there is an actual risk I'm happy to hear feedback/input but I'd need that explained with context, which in this case is for an XSRF token where we send XSRF tokens in HTML responses anyway.
from website.
Perfect ! That's easier I'll ask all vulnerability scanner to make an exception 🥇
Not only vulnerability scanner reports this issue, also OWAS ZAP, but they must be wrong of course.
ZAP Scanning Report.pdf
from website.
@ducarrozb Please confirm exactly what cookie you're referring to that you'd consider a security issue in this context.
from website.
from website.
@ducarrozb thanks for providing the detail.
I don't really see making the XSRF token HttpOnly adding any reasonable security benefit here since, following the scenario in the "Vulnerability Insight" section, the XSRF token could just be read from the DOM anyway.
While the XSRF token is session based, it is not the user session itself.
If you do forsee some security risk here feel free to explain it within the context of this application and specific use of cookie to help me understand any actual risk/concerns.
from website.
Hmm, not sure if hackers see that the same way than you:
- https://www.perplexity.ai/search/Apache-fix-Missing-7eI5FlMzT1m14oaeI30Iqg#0
- https://www.rfc-editor.org/rfc/rfc6265#section-5.2.6
- https://owasp.org/www-community/HttpOnly
- https://wiki.owasp.org/index.php/Testing_for_Session_Management_Schema_(OTG-SESS-001)
As you can see in the report the cookie could lead to session hijacking attacks.
As told above, I tried to insert
<IfModule mod_headers.c>
Header always edit Set-Cookie (.*) "$1; HttpOnly."
</IfModule>
in different files, but the problem persists. I wonder just in which file I have to add these lines, since this would be the solution of the problem
from website.
@ducarrozb None of those links indicate why the lack of HttpOnly for a XSRF token (which is already in the HTML) cookie would be an issue. I understand how HttpOnly can help security and where it's useful (like for sessions where it's already used) but otherwise I'm not sure why we need to make this change for the XSRF token outside of not throwing an alter in the specific automated scanner you use.
from website.
Hi,
I have the same problem here. When scaning for vulnerabilities the bookstack website comes up with "Set the 'HttpOnly' cookie attribute for any session cookie".
In the Apache config we set the VIrtualHost to force these secure cookies:
<VirtualHost bookstack.mydomain.tld:443>
Header always edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure"
...
</VirtualHost>
Apache us up to date, the module mod_headers.so is loaded.
What can we do ?
Many thanks
from website.
Related Issues (20)
- Bookstack Doc page improvement - Page Templating HOT 2
- User docs: Getting Around
- Document export classess in hacking/customization page HOT 6
- Document cloudflare on our debugging page
- Document permissions setup HOT 4
- Document REMOTE_USER authentication HOT 1
- Don't Understand Sentence HOT 1
- Feature request: Support mermaid HOT 2
- When i use npm ran dev face this isue HOT 7
- Identify unsplash images & update licensing HOT 1
- Update .env language in cache and sessions docs HOT 3
- Translations of docs HOT 5
- Use BookStack for docs HOT 1
- User docs page: Attachments
- Document page draft management handling and controls HOT 1
- Missing "themes/" in "Backup and Restore" documentation HOT 1
- Installation Ubuntu 22.04 HOT 17
- Create docs page about BookStack content/storage format
- Document Tags
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from website.