安全扫描报告缺少Cookie的secure属性


#1

Gogs 版本:0.11.79
系统类型及版本:CentOS 7.6
数据库:sqllite
问题描述:安全扫描报告gogs缺少Cookie的secure属性和httpOnly属性。

我从这里找到了个app.ini的范例,但是里面没有提到httpOnly属性。然后,我在app.ini中添加了COOKIE_SECURE = true的设置,但是扫描报告中仍然提示缺少secure:frowning_face:

请问有办法解决么?谢谢!


#2

这个得具体点。。哪个 cookie。。


#3

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Vulnerability Detection Result

The cookies: Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647 Set-Cookie: i_like_gogs=replaced; Path=/; HttpOnly Set-Cookie: _csrf=tlaJZNZRMzsuyvysL6MFEVD3i4E6MTU0ODkyNTc1ODE4OTQ5MzUwOQ%3D%3D; Path=/; Expires=Fri, 01 Feb 2019 09:09:18 GMT; HttpOnly Set-Cookie: redirect_to=%252F; Path=/ are missing the “secure” attribute.

Solution

Solution type: Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.

Affected Software/OS

Server with SSL/TLS.

Vulnerability Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Vulnerability Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 11374 $

References

以上是扫描报告的全文,应该指的是浏览器访问时使用的Cookie吧。


#4

那应该和这个是一样的 https://github.com/gogs/gogs/issues/3525


#5

额,所以这个没办法解决,只能等Go Lang的更新先了:joy: