How to Increase entropy of CFID and CFTOKEN

Question

Our application is scanned against penetration testing found below vulnarability -

comments from Vuln team-

this application does not validate attESSec cookie if CFID and CFTOKEN represents specific session. These two tokens are also used (in GET request parameters) in one specific automatic request by every user of the app after they are loggedin by Logon. These two cookies are therefore severely weakened in its confidentiality. In conclusion this vulnerability is consisting of: 1. low entropy in CFID and CFTOKEN 2. these two are sent in GET request by the app logic 3. there is no validation in attESSec and attESHr cookie and that severely weakens authentication

Resolution
Increase entropy of CFID and CFTOKEN

can you help me how to Increase entropy of CFID and CFTOKEN?

pete_freitag · Answer

It sounds like part of the problem in your finding is that you are putting the CFID / CFTOKEN in the URL of a GET request after login. To prevent that you should look for a cflocation tag and add the attribute addtoken="false" to it. That will prevent the redirect from appending the CFID / CFTOKEN in the URL.

You can also switch to JEE sessions, and then you could potentially increase the size of the jsessionid in the tomcat settings which would increase the entropy of your session identifier.

Pete Freitag

Foundeo Inc.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded