topic Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820 in General Topics

Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

Mohammed_Yasin — Wed, 10 Feb 2021 06:53:24 GMT

In my case, the team is performing a vulnerability assessment on PA820

Vulnerability Title: Missing Secure Flag From SSL Cookie

Description: The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in cleartext.

The scanning was running to the MGMT IP,

How to find out the Missing Secure Flag on the SSL Cookie

Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

kiwi — Wed, 10 Feb 2021 10:25:37 GMT

Hi @Mohammed_Yasin ,

https://live.paloaltonetworks.com/t5/threat-vulnerability-discussions/check-and-help-resolving-vapt-reported-issues-global-protect-ssl/td-p/374153

I'd recommend reaching out to support with the findings of your vulnerability assessment.

Cheers,

-Kiwi.

Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

ManojV5 — Wed, 02 Feb 2022 10:33:24 GMT

Hi @Mohammed_Yasin - Have you got any updates about this vulnerability. If yes, can you pls share?

Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

Jacobsaq — Fri, 04 Feb 2022 04:20:00 GMT

The cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope.

rapidfs

Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

kiwi — Wed, 02 Feb 2022 12:59:36 GMT

Hi @ManojV5 ,

Could be a false positive as the secure flag is set when I check on my lab (PA-VM running 9.1 and 10.1) ... unfortunately I don't have a PA-820 to test but you can easily verify yourself with the command:

$ curl -k -i https://<yourIP> /php/login.php

Feel free to run the same command on your device and check the response (notice the secure flag is set in Set-Cookie in both my responses):

AMSMAC60KYG8WL:~ kwens$ curl -k -i https://192.168.0.207/php/login.php >>>>> PAN-OS 9.1 HTTP/1.1 200 OK Date: Wed, 02 Feb 2022 12:46:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-FRAME-OPTIONS: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; Strict-Transport-Security: max-age=31536000 Set-Cookie: PHPSESSID=95a09564ecf30d16912f68458c038b57; path=/; HttpOnly; SameSite=Strict; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS AMSMAC60KYG8WL:~ kwens$ curl -k -i https://192.168.0.75/php/login.php >>>>> PAN-OS 10.1 HTTP/1.1 200 OK Date: Wed, 02 Feb 2022 12:41:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: Strict-Transport-Security: max-age=31536000 Set-Cookie: PHPSESSID=5420dde555d4512fd0ba4a4129b57581; path=/; HttpOnly; SameSite=Strict; secure; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS

Unless they are checking for something else it seems to me that the secure flag is set correctly.

Hope this helps,

-Kiwi.

Re: Missing Secure Flag on the SSL Cookie after a vulnerability assessment ran on PA820

ManojV5 — Thu, 03 Feb 2022 04:06:30 GMT

Hi @kiwi - Thanks, I will be checking it.