Monthly Archives: September 2013

A Rough Guide to the Secure Cookie

On a recent pentest, I reported that the session management cookie was not being set with the secure flag (surprise, surprise)…

No secure flag

No secure flag

But in this case it didn’t seem to matter so much. Why? Because port 80 was shut: the whole application was served over HTTPS so the cookie would never have the chance to escape over HTTP, even if an attacker could engineer such a scenario – for example, by enticing the victim to click on a HTTP link (although more on this shortly). This is because the TCP connection must be set up with the 3-way handshake before any application data is sent over it – and since the port was closed, the connection falls at the first hurdle [1]. Continue reading