HTTP Cookie 'secure' Property Transport Mismatch

info Nessus Plugin ID 69826
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server sent out a cookie with a secure property that does not match the transport on which it was sent.

Description

The remote web server sends out cookies to clients with a 'secure' property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur in two forms :

1. The cookie is sent over HTTP, but has the 'secure' property set, indicating that it should only be sent over a secure, encrypted transport such as HTTPS.
This should not happen.

2. The cookie is sent over HTTPS, but has no 'secure' property set, indicating that it may be sent over both HTTP and HTTPS transports. This is common, but care should be taken to ensure that the 'secure' property not being set is deliberate.

See Also

https://tools.ietf.org/html/rfc6265

Plugin Details

Severity: Info

ID: 69826

File Name: http_cookie_secure_mismatch.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 9/10/2013

Updated: 1/19/2021

Dependencies: http_version.nasl, webmirror.nasl

Vulnerability Information