Http only cookie bypass
09 May 2015
A vulnerability has been found in Play’s cookie handling code that could allow an attacker to bypass the
httpOnly flag on sensitive cookies.
Any Play apps that reflect cookie values back into the body of a response are vulnerable to this. One example of when this might be a case is if using Play’s CSRF support with
csrf.cookie.name configured, such that Play stores the csrf token in a cookie rather than the default of storing it in the session.
- Play 2.0 - 2.3.8
Upgrade to netty 3.9.8. For example:
libraryDependencies += "io.netty" % "netty" % "3.9.8.Final"
The issue has been fixed in Play 2.3.9.
CVSS metrics (more info)
- Base: 4.0
- Temporal: 3.1
- Environmental: 1.1
Environmental scores are assuming typical internet systems. Actual environmental scores for your organisation may differ.
Credit for finding this vulnerability goes to Roman Shafigullin, Luca Carettoni and Mukul Khullar from LinkedIn.