• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

How to Increase entropy of CFID and CFTOKEN

New Here ,
Apr 21, 2021 Apr 21, 2021

Copy link to clipboard

Copied

Our application is scanned against penetration testing  found below vulnarability -

comments from Vuln team-

this application does not validate attESSec cookie if CFID and CFTOKEN represents specific session. These two tokens are also used (in GET request parameters) in one specific automatic request by every user of the app after they are loggedin by Logon. These two cookies are therefore severely weakened in its confidentiality. In conclusion this vulnerability is consisting of: 1. low entropy in CFID and CFTOKEN 2. these two are sent in GET request by the app logic 3. there is no validation in attESSec and attESHr cookie and that severely weakens authentication

Resolution
Increase entropy of CFID and CFTOKEN

 

can you help me how to Increase entropy of CFID and CFTOKEN?

Views

121

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 21, 2021 Apr 21, 2021

Copy link to clipboard

Copied

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Apr 21, 2021 Apr 21, 2021

Copy link to clipboard

Copied

LATEST

It sounds like part of the problem in your finding is that you are putting the CFID / CFTOKEN in the URL of a GET request after login. To prevent that you should look for a cflocation tag and add the attribute addtoken="false" to it. That will prevent the redirect from appending the CFID / CFTOKEN in the URL.

 

You can also switch to JEE sessions, and then you could potentially increase the size of the jsessionid in the tomcat settings which would increase the entropy of your session identifier.

 

Pete Freitag

Foundeo Inc.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation