search cancel

Product Vulnerability - Cookie in URL/Information Disclosure

book

Article ID: 202877

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

A Penetration test has identified the following issue

Explanation of Issue
The cookie stated below was found to be transmitted in URLS. Placing cookies into the URL increases the risk that they will be captured
by an attacker since URLs may be logged in various locations, including the user’s browser, the web server, and any forward or reverse
proxy servers between the two endpoints. URLs may also be displayed on­screen, bookmarked or emailed around by users. Furthermore,
they may be disclosed to third parties via the Referer header when any off­site links are followed.

 

Proposed remedy:

The application should use an alternative mechanism for transmitting session tokens. Sensitive parameters should be removed from the URL and it is also recommended that HTTP cookies or hidden fields in forms are submitted using the POST method.

Environment

DxNetOps Performance Management 20.x

Resolution

So that URL is generated from Generate URL ability, whose sole purpose is to either email to users or put on a portal page somewhere.

If it's going into an email, you can't really convert to a POST submission.

If it's going into a portal, it can be put into a form where the user can break out the parts of the URL into hidden form variables, and when they click the form, it submits the request.   Or you can just include it as an iframe url which will load the view graph.

But this is also being sent across HTTPS which hides the actual parameters from a sniffer.  Whether it's post or GET, really anyone sniffing the HTTP traffic is gonna see the request URL and body.

 

So it's not something many will try and use it seems.  Plus the view token has info in it that limit itself to that 1 view, it's settings, and an expiration date.

Per engineering there isn't anything we could do for this issue