Missing cookie security headers
Description
Release Notes
None
Activity
Show:
Nick Briggs November 10, 2021 at 12:21 AMEdited
See
Venkatachalapati Rao Jasti September 29, 2021 at 7:30 PM
keen to know, if this issue ever going to be part of any future fix. We are using CDAP 6.3. Thank You in advance,
Venkatachalapati Rao Jasti August 25, 2021 at 12:20 PM
request for an update, if this issue fix planned in any of the upcoming release. We are using CDAP 6.3.
Venkatachalapati Rao Jasti July 21, 2021 at 5:11 AM
, kindly suggest, if any roadmap to cover this issue in the upcoming CDAP releases (post 6.3).
Observation
We found that the cookies set by the web application are not configured securely.
The Hadoop uses the “bcookie” and DEFAULT_UI cookies. All Hadoop-related hosts and ports are affected.
The CDAP instances and the CDAP_Auth_Token also affected.
Risk
With a successful MITM attack or cross-site scripting vulnerability the attacker can obtain the value of the affected cookies.
The secure flag disallows the transmission of the cookie through a non-secure (non-HTTPS) channel, making sure that it cannot be stolen and the session cannot be hijacked.
The httpOnly flag notifies the browser that the given cookie cannot be used by client-side scripting, thus giving some protection in case of cross-site scripting (XSS) vulnerabilities.