SYM_PY_0236 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Pyramid authentication ticket cookie is being created without setting secure=True, which means the cookie can be transmitted over unencrypted HTTP connections. This exposes sensitive authentication data to interception by attackers on insecure networks.
Impact
If exploited, an attacker could steal authentication cookies via network sniffing on unsecured connections, potentially hijacking user sessions and gaining unauthorized access to user accounts or sensitive areas of the application.