secure cookie fails penetration tests

[mzeyrek]

Steps to reproduce

1.test SSL nextcloud server at https://pentest-tools.com/website-vulnerability-scanning/web-server-scanner?run
2.getting medium security due secure cookie not implemented
3. nextcloud is running under dedicated domain, not subdomain.

Expected behaviour

Penetration test to pass as SameSiteCookieMiddleware.php seems to handle request

Actual behaviour

sending cookies via http without secure flag in https.
More details : https://help.nextcloud.com/t/secure-cookie-implementation/21854/3

Server configuration

Operating system: Debian 9 Stretch
Web server: nginx/1.10.3
Database: MariaDB 10.2
PHP version: 7.0
Nextcloud version: (see Nextcloud admin page) 12.0.3

[rullzer]

@LukasReschke

[e-alfred]

Openvas also produces a medium warning with this content for an instance not running in a subdirectory:

Summary

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
Vulnerability Detection Result

The cookies:

Set-Cookie: 45342agfd4=replaced; path=/; HttpOnly

are missing the “secure” attribute.

Solution

Solution type: Mitigation Mitigation

Set the ‘secure’ attribute for any cookies that are sent over a SSL/TLS connection.
Affected Software/OS

Server with SSL/TLS.
Vulnerability Insight

The flaw is due to cookie is not using ‘secure’ attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Impact Level: Application
Vulnerability Detection Method

Details: SSL/TLS: Missing secure Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661)

Version used: $Revision: 5543 $

References

Other:
https://www.owasp.org/index.php/SecureFlag2
http://www.ietf.org/rfc/rfc2965.txt
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

[LukasReschke]

The secure flag is applied as soon as you log-in. There's not really a security issue here thus.

[jomo]

Unfortunately this does not seem to be true, @LukasReschke.

I've double checked with Firefox' "Storage" inspector and all cookies are marked as "Secure: false".

[rullzer]

@jomo did you by any chance first access the site via plain http?
I can't trigger this otherwise.

[jomo]

That comment pointed me in the right direction. TLS termination is done by nginx, I should have thought of that…

I had to add this to the config.php:

'overwriteprotocol' => 'https'

Can confirm it's working now, thanks!

[jomo]

In fact, the cookies are sent as secure even before login.

See observatory.mozilla.org report:

Guess this issue can be closed?

[pgera]

I just had to do this for my docker nextcloud setup. At least in my case (and I'm assuming for others too), tls is done by the nginx docker container. As a result, this test as well as the __host prefix test on scan.nextcloud.com were failing. I suppose this should be addressed on the docker-nextcloud repo as well.