Add script http-cookie-flags.nse: Report insecurely set HTTP session cookie flags. #669

Closed
wants to merge 10 commits into
from

Conversation

Projects
None yet
2 participants

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.

nmap -p 443 --script ssl-cert-intaddr 10.1.2.3
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-01-12 03:47 EST
Nmap scan report for host.example.com (10.1.2.3)
Host is up (0.079s latency).
PORT     STATE    SERVICE VERSION
443/tcp  open     https
| http-session-cookie-flags:
|   /:
|     PHPSESSID:
|       secure flag not set and HTTPS in use
|   /admin/:
|     session_id:
|       secure flag not set and HTTPS in use
|       httponly flag not set
|   /mail/:
|     ASPSESSIONIDASDF:
|       httponly flag not set
|     ASP.NET_SessionId:
|_      secure flag not set and HTTPS in use
@dmiller-nmap

This is a great script and will be very useful for Nmap users. Take a look at the suggested changes and let us know what you think.

scripts/http-session-cookie-flags.nse
@@ -0,0 +1,139 @@
+
@dmiller-nmap

dmiller-nmap Jan 30, 2017

Need local string = require "string" here. Helpful code checking scripts are available on our Code Standards wiki page.

@xelphene

xelphene Jan 31, 2017

I will fix that and check out those scripts.

scripts/http-session-cookie-flags.nse
+without the httponly flag. Reports any session cookies set over SSL without
+the secure flag. If http-enum.nse is also run, any interesting paths found
+by it will be checked in addition to the root.
+]]
@dmiller-nmap

dmiller-nmap Jan 30, 2017

I wonder if this would be better called simply "http-cookie-flags" and have an option to check flags on all cookies. By removing "session" from the name, we open it up to other patterns (in the default case) that could specify other sensitive cookie names, even if they are not session cookies. Of course, the description would have to make it clear that only known-sensitive cookies are being reported.

@xelphene

xelphene Jan 31, 2017

That makes sense. I will rename the script.

scripts/http-session-cookie-flags.nse
+
+---
+-- @usage
+-- nmap -p 443 --script ssl-cert-intaddr <target>
@dmiller-nmap

dmiller-nmap Jan 30, 2017

copy-paste error, wrong script name

@xelphene

xelphene Jan 31, 2017

I will fix that.

scripts/http-session-cookie-flags.nse
+ '^FedAuth$',
+ '^ASPXAUTH$',
+ '[Ss][Ee][Ss][Ss][Ii][Oo][Nn]_*[Ii][Dd]'
+}
@dmiller-nmap

dmiller-nmap Jan 30, 2017

A couple more patterns: ^session$ is used by some frameworks, and your SESSION_ID match could use any non-alpha character in place of the underscore: [^%a]*

@xelphene

xelphene Jan 31, 2017

I will add those & change session_id.

scripts/http-session-cookie-flags.nse
+action = function(host, port)
+ local all_issues = stdnse.output_table()
+
+ all_issues['/'] = check_path(host, port, '/')
@dmiller-nmap

dmiller-nmap Jan 30, 2017

Most of our http-* scripts have a uri or path script-arg to allow requesting a specific path other than /. Please modify this to accept the same. It may be useful to let the user pass a specific cookie name to check, too.

scripts/http-session-cookie-flags.nse
+ local all_pages = stdnse.registry_get({host.ip, 'www', port.number, 'all_pages'})
+ if all_pages then
+ for _,path in ipairs(all_pages) do
+ all_issues[path] = check_path(host, port, path)
@dmiller-nmap

dmiller-nmap Jan 30, 2017

I worry that this might result in a lot of duplicate output if a cookie is set with a path of / for all lower-level urls. We should be able to pass the output table to the check_path function and have it add discovered cookies to the table based on the cookie's path attribute instead of simply using the path that was requested.

@xelphene

xelphene Jan 31, 2017

That's true. I'll change the structure of the output table like you suggest

However, in some cases I think that could lead to confusing output if different web apps set different cookies for the same path. For example:

GET /mail HTTP/1.0

200 OK
Set-Cookie: session_id=12345; path=/

and:

GET /docs HTTP/1.0

200 OK
Set-Cookie: ASP.NET_SessionId=67890; path=/

The script's output would be:

|   /:
|     session_id:
|       httponly flag not set
|     ASP.NET_SessionId:
|       httponly flag not set

What do you think about adding the requested path (from the first request the cookie was seen from, anyway) as an additional information item with the cookie, like this:

|   /:
|     session_id:
|       httponly flag not set   
|       Initially set from /mail
|     ASP.NET_SessionId:
|       httponly flag not set   
|       Initially set from /docs

nmap-bot closed this in dd4f367 Mar 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment