2

We have a web application running on Laravel 5.4. We have given this Website to an auditing service to check the vulnerabilities. Their report says that There is threat of Session Hijacking. In the report, They have mentioned below threat.

THREAT: Suppose there are Two users A and B

  1. Log into the account of A and copy the session id and XSRF-TOKEN cookies of the user.
  2. Now open another browser chrome, Login to the account of B.
  3. Now paste the Cookies of A (session id and XSRF-TOKEN ) in place of cookies of B (session id and XSRF-TOKEN ).
  4. Now just reload the chrome. That's it. Immediately, user A account will be opened.

I have tried it and they are correct. But, how to fix the issue? They recommended me to Turn on HttpOnly and Secure cookies with SSL encrypted, which I did.

Even after doing that, the issue is still there. Am I checking in the correct way? How to check the session hijacking vulnerability after setting HttpOnly and Secure?

Naroju
  • 2,637
  • 4
  • 25
  • 44
  • 2
    Use HTTPS. Laravel should already have `HttpOnly` set. With those two things in place, this attack would require direct physical access to the victim's browser, at which point you've already got bigger problems. – ceejayoz Jul 17 '19 at 14:41
  • @ceejayoz Yeah, HTTPS is already there with `HttpOnly` and `Secure`. `this attack would require direct physical access to the victim's browser` which means doing 1 to 4(mentioned in the question) to test the vulnerability is not correct right? – Naroju Jul 17 '19 at 14:45
  • 1
    Automated tests will often do this - throw false positives, or be overly aggressive in what they consider a vulnerability. You can typically flag it as mitigated, and enter the steps you took. Consider adding HSTS headers, but otherwise you've done what you can. – ceejayoz Jul 17 '19 at 14:50

0 Answers0