Secure and HttpOnly flag detection returns false positives

Question

Secure and HttpOnly flag detection returns false positives

Closed this issue 5 years ago · 2 comments

In response below JSON Web Tokens detected that "No secure flag set" and "No HttpOnly flag set".

HTTP/1.1 303 See Other
...
Content-Length: 0
Connection: close
Set-Cookie: SECRET_SESSION=eyJhbGciOiJIUzI1NiJ9.ey[VALID_PAYLOAD].[VALID_SIGNATURE]; SameSite=Lax; Path=/; Secure; HTTPOnly
Location: /
...

Expected result: No alert, because flags are set.

Answer 1 · 2019-07-05T07:23:30.000Z

Hi Awakenine
Thanks for your issue, ill have a look!
Cheers

Answer 2 · 2019-07-05T08:57:46.000Z

The problem is, that your set-cookie header uses "wrong" capitalization of secure & httponly, see the standard paper here https://tools.ietf.org/html/rfc6265#section-5.2.5

I tweaked JWT4B to use lowercase for the checks ;)
Make sure to get the newest release on the burp store or the jar from our github repo.