Detections
Analytics
Web Server Generic Cookie Injection
medium Nessus Plugin ID 44135
Language:
Synopsis
The remote web server is prone to a cookie injection attack.Description
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.Please note that :
- Nessus did not check if the session fixation attack is feasible.
- This is not the only vector of session fixation.
Solution
Contact the vendor for a patch or upgrade.See Also
https://en.wikipedia.org/wiki/Session_fixation
https://www.owasp.org/index.php/Session_Fixation
http://www.acros.si/papers/session_fixation.pdf
http://projects.webappsec.org/w/page/13246960/Session%20Fixation
Plugin Details
Severity: Medium
ID: 44135
File Name: cookie_manipulation.nasl
Version: 1.13
Type: remote
Family: CGI abuses
Published: 1/25/2010
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N