ISRO site vulnerability exposed by Abir Atarthy

Indian Space Research Organization(http://www.isro.org )  is vulnerable to session hijak. This vulnerability is exposed by Abir Atarthy.

We have already mailed ISRO regarding this. The details are as follows:-

Vulnerability description: 
 
Cookie Not Marked As HttpOnly:-
HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks.
Identified Cookie:-  ASP.NET_SessionId
Vulnerability Classifications:  OWASP A6 CWE-16
 Impact:-
During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim’s session.
Remedy:-
Consider marking all of the cookies used by the application as HTTPOnly. After these changes javascript code will not able to read cookies.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: