Copy link to clipboard
Copied
Our application is scanned against penetration testing found below vulnarability -
comments from Vuln team-
this application does not validate attESSec cookie if CFID and CFTOKEN represents specific session. These two tokens are also used (in GET request parameters) in one specific automatic request by every user of the app after they are loggedin by Logon. These two cookies are therefore severely weakened in its confidentiality. In conclusion this vulnerability is consisting of: 1. low entropy in CFID and CFTOKEN 2. these two are sent in GET request by the app logic 3. there is no validation in attESSec and attESHr cookie and that severely weakens authentication
Resolution
Increase entropy of CFID and CFTOKEN
can you help me how to Increase entropy of CFID and CFTOKEN?
Copy link to clipboard
Copied
For greater security, you should switch from ColdFusion sessions (CFID/CFToken) to J2EE sessions.
Copy link to clipboard
Copied
It sounds like part of the problem in your finding is that you are putting the CFID / CFTOKEN in the URL of a GET request after login. To prevent that you should look for a cflocation tag and add the attribute addtoken="false" to it. That will prevent the redirect from appending the CFID / CFTOKEN in the URL.
You can also switch to JEE sessions, and then you could potentially increase the size of the jsessionid in the tomcat settings which would increase the entropy of your session identifier.
Pete Freitag