[Openstack-security] [Bug 1197459] Re: noVNC contains the session token in URL and insecurely sets the session cookie

Matthew Edmonds edmondsw at us.ibm.com
Fri Jul 29 20:46:03 UTC 2016 

This is what AppScan (a dynamic security scanning product) says about
this kind of issue:

Query Parameter in SSL Request
Threat Classification: Information Leakage
Causes: Query parameters were passed over SSL, and may contain sensitive information
Security Risks: It may be possible to steal sensitive data such as credit card numbers, social security numbers etc. that are sent unencrypted
CWE: 598
X-Force: 52845

References:
Financial Privacy: The Gramm-Leach Bliley Act, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Health Insurance Portability and Accountability Act (HIPAA), http://www.hhs.gov/hipaa/index.html
Sarbanes-Oxley Act, https://www.sec.gov/spotlight/sarbanes-oxley.htm
California SB1386, http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Technical Description:
During the application test, it was detected that a request, which was sent over SSL, contained parameters that were transmitted in the Query part of an HTTP request.
When sending requests, the browser's history can be used to reveal the URLs, which contain the query parameter names and values.
Due to the sensitivity of encrypted requests, it is suggested to use HTTP POST (without parameters in the URL string) when possible, in order to avoid the disclosure of URLs and parameter values to others.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1197459

Title:
  noVNC contains the session token in URL and insecurely sets the
  session cookie

Status in OpenStack Compute (nova):
  Opinion
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The VNC Console connection in Nova works by having the user connect to
  the API which returns a URL such as:
  https://example.com:443/?token=abc Where the token has a TTL which is
  then used to create a session from a WebSocket. However, URL's should
  not contain sensitive information such as session tokens with a TTL
  since URL's can be leaked through proxy logs or other types of attacks
  such as Cross-Site Scripting. Additionally, due to the session cookie
  being set with JavaScript it cannot securely be set to HttpOnly nor is
  it set with the Secure flag making it further susceptible to Cross-
  Site Scripting attacks or leakage through a non-SSL connection. To
  limit the exposure of the token being leaked through the URL the
  returned token from the API should be of a one-time use and only used
  as an authentication token in order to obtain a session. The session
  cookie should be set by a Web Service instead of the client in order
  to securely set the cookie with the HttpOnly flag to be set in
  addition to setting the Secure flag.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1197459/+subscriptions

More information about the Openstack-security mailing list