SSL Cookie without Secure Flag Set

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

1.1. https://account.woot.com/signup next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://account.woot.com
Path:	/signup

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

ASP.NET_SessionId=kj055u1p4rjlytavdwiqjuth; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /signup?returnurl=http%3a%2f%2fwww.woot.com%2fdefault.aspx HTTP/1.1
Host: account.woot.com
Connection: keep-alive
Referer: http://www.woot.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=68a92d94b49fa8ca:T=1300624474:S=ALNI_MYMGDpiaZCYenCyoYfDzME3mF-6iw; __qca=P0-1285104554-1300624487224; __utmz=87498951.1300624488.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=87498951.137914016.1300624488.1300624488.1300624488.2; __utmc=87498951; __utmb=87498951.2.10.1300624488

Response

HTTP/1.1 200 OK
Cache-Control: public, no-store, max-age=0
Content-Type: text/html; charset=utf-8
Expires: Sun, 20 Mar 2011 13:39:23 GMT
Last-Modified: Sun, 20 Mar 2011 13:39:23 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=kj055u1p4rjlytavdwiqjuth; path=/; HttpOnly
X-AspNetMvc-Version: 3.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 20 Mar 2011 13:39:23 GMT
Content-Length: 14055

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
...[SNIP]...

1.2. https://online.citibank.com/JPS/portal/GetHTMLContent.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://online.citibank.com
Path:	/JPS/portal/GetHTMLContent.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000jFPDDjxDVnKiTi2Rg_nH26j:prap10-usgcb2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /JPS/portal/GetHTMLContent.do HTTP/1.1
Host: online.citibank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=00000XlLtMSIdklMi_uAGOW5OEs:prap10-usgcb2; fsr.a=1300627697988; CP=null*;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:01:13 GMT
Content-type: text/html; charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Content-language: en-US
Set-cookie: JFPWebAppInfo=/US; Path=/; Secure
X-ua-compatible: IE=EmulateIE7
Jid: 110320100113148614419345
Cid: prap10-usgcb2
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache, must-revalidate, proxy-revalidate, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: JSESSIONID=0000jFPDDjxDVnKiTi2Rg_nH26j:prap10-usgcb2; Path=/
Connection: close

<script>
var pageName = '';
</script>

<script language="JavaScript" src="/JFP/js/jquery/jquery.js"></script>

...[SNIP]...

1.3. https://online.citibank.com/JRSAO/ao_online/editLocation.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://online.citibank.com
Path:	/JRSAO/ao_online/editLocation.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=00004GFqPoLVQFzWtSKYiqiGmx2:prap10-usgcb2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /JRSAO/ao_online/editLocation.do HTTP/1.1
Host: online.citibank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=00000XlLtMSIdklMi_uAGOW5OEs:prap10-usgcb2; fsr.a=1300627697988; CP=null*;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:01:13 GMT
Content-type: text/html; charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Content-language: en-US
Set-cookie: JFPWebAppInfo=/US; Path=/; Secure
X-ua-compatible: IE=EmulateIE7
Jid: 110320100113148614419346
Cid: prap10-usgcb2
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache, must-revalidate, proxy-revalidate, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-cookie: JSESSIONID=00004GFqPoLVQFzWtSKYiqiGmx2:prap10-usgcb2; Path=/
Connection: close

<script>
var pageName = '';
</script>

<script language="JavaScript" src="/JFP/js/jquery/jquery.js"></script>

...[SNIP]...

1.4. https://online.citibank.com/US/JRS/pands/detail.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://online.citibank.com
Path:	/US/JRS/pands/detail.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000YJXr766z69FKlS3a22wwTql:prap11-usgcb1; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /US/JRS/pands/detail.do?ID=IRA HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: http://www.citibank.com/us/home.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:39:24 GMT
Content-type: text/html; charset=ISO-8859-1
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
X-ua-compatible: IE=EmulateIE7
Jid: 110320093924148570419963
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache, must-revalidate, proxy-revalidate, no-store
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-language: en-US
Set-cookie: JSESSIONID=0000YJXr766z69FKlS3a22wwTql:prap11-usgcb1; Path=/
Vary: accept-encoding
Content-Length: 19583

<script>
var pageName = '';
</script>

<script language="JavaScript" src="/JFP/js/jquery/jquery.js"></script>

...[SNIP]...

1.5. https://online.citibank.com/US/JRS/portal/template.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://online.citibank.com
Path:	/US/JRS/portal/template.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=0000BLsMq2KAjr8hnOf2sniOgBH:prap10-usgcb2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /US/JRS/portal/template.do HTTP/1.1
Host: online.citibank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=00000XlLtMSIdklMi_uAGOW5OEs:prap10-usgcb2; fsr.a=1300627697988; CP=null*;

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:01:12 GMT
Content-type: text/html; charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Content-language: en-US
Set-cookie: JSESSIONID=0000BLsMq2KAjr8hnOf2sniOgBH:prap10-usgcb2; Path=/
X-ua-compatible: IE=EmulateIE7
Jid: 110320100112148614419341
Cid: prap10-usgcb2
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache, must-revalidate, proxy-revalidate, no-store
Pragma: no-cache
Connection: close

<script>
var pageName = '';
</script>

<script language="JavaScript" src="/JFP/js/jquery/jquery.js"></script>

...[SNIP]...

1.6. https://online.citibank.com/US/JSO/signon/DisplayUsernameSignon.do previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://online.citibank.com
Path:	/US/JSO/signon/DisplayUsernameSignon.do

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

JSESSIONID=00005kvZgxcX-53P64COpFtpKxi:prap10-usgcb2; Path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /US/JSO/signon/DisplayUsernameSignon.do?cmp=signon&next_page=jfp|jJRSIRA_IRAContribEnterIRA HTTP/1.1
Host: online.citibank.com
Connection: keep-alive
Referer: https://online.citibank.com/JRS/greybox/loader_frame.html?s=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=00000XlLtMSIdklMi_uAGOW5OEs:prap10-usgcb2; CP=null*; fsr.a=1300627695988

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 13:39:23 GMT
Content-type: text/html; charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://online.citibank.com/w3c/p3p.xml",CP="CAO DSP CUR ADM DEV OUR NOR STP UNIo NAV STA PREi TAI"
Content-language: en-US
Set-cookie: JSESSIONID=00005kvZgxcX-53P64COpFtpKxi:prap10-usgcb2; Path=/
X-ua-compatible: IE=EmulateIE7
Jid: 110320093923148614418622
Cid: prap10-usgcb2
X-ua-compatible: IE=EmulateIE7
Cache-control: no-cache, must-revalidate, proxy-revalidate, no-store
Pragma: no-cache
Vary: accept-encoding
Content-Length: 18338

<script>
var pageName = '';
</script>

<script language="JavaScript" src="/JFP/js/jquery/jquery.js"></script>

...[SNIP]...

1.7. https://sites.fastspring.com/richardsonsoftware/instant/editrocket previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://sites.fastspring.com
Path:	/richardsonsoftware/instant/editrocket

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=27597E28151A94B2FE97F491A8D9A527;Path=/richardsonsoftware;Version=1;
SessionData=SUQJYmZkelVTa1hTZ2VjMmRlWXozNk1iZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAk0ZjlmYjg4ZS02YmUwLTQ5ZTgtYWVlYy1lODY3ZTMzODFlOWU;Path=/richardsonsoftware;Version=1;

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /richardsonsoftware/instant/editrocket HTTP/1.1
Host: sites.fastspring.com
Connection: keep-alive
Referer: http://editrocket.com/register.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: JSF/1.2
Set-Cookie: JSESSIONID=27597E28151A94B2FE97F491A8D9A527;Path=/richardsonsoftware;Version=1;
Set-Cookie: SessionData=SUQJYmZkelVTa1hTZ2VjMmRlWXozNk1iZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAk0ZjlmYjg4ZS02YmUwLTQ5ZTgtYWVlYy1lODY3ZTMzODFlOWU;Path=/richardsonsoftware;Version=1;
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 13:58:05 GMT
Content-Length: 116982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Richardson Softwa
...[SNIP]...

1.8. https://sites.fastspring.com/richardsonsoftware/order/customer previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://sites.fastspring.com
Path:	/richardsonsoftware/order/customer

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=814FD1DA84752AF7872A6197C210F629;Path=/richardsonsoftware;Version=1;
SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI;Path=/richardsonsoftware;Version=1;

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /richardsonsoftware/order/customer;jsessionid=814FD1DA84752AF7872A6197C210F629?csid=169019 HTTP/1.1
Host: sites.fastspring.com
Connection: keep-alive
Referer: https://sites.fastspring.com/richardsonsoftware/instant/editrocket
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=814FD1DA84752AF7872A6197C210F629; SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: JSF/1.2
Set-Cookie: JSESSIONID=814FD1DA84752AF7872A6197C210F629;Path=/richardsonsoftware;Version=1;
Set-Cookie: SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI;Path=/richardsonsoftware;Version=1;
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Sun, 20 Mar 2011 13:58:12 GMT
Content-Length: 40337

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Richardson Softwa
...[SNIP]...

1.9. https://sites.fastspring.com/richardsonsoftware/view previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://sites.fastspring.com
Path:	/richardsonsoftware/view

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

JSESSIONID=814FD1DA84752AF7872A6197C210F629;Path=/richardsonsoftware;Version=1;
SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI;Path=/richardsonsoftware;Version=1;

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /richardsonsoftware/view;jsessionid=814FD1DA84752AF7872A6197C210F629 HTTP/1.1
Host: sites.fastspring.com
Connection: keep-alive
Referer: https://sites.fastspring.com/richardsonsoftware/instant/editrocket
Cache-Control: max-age=0
Origin: https://sites.fastspring.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=814FD1DA84752AF7872A6197C210F629; SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI
Content-Length: 10282

product=product&product%3Apid=8146a396-162e-4c65-9db2-7beb595c4781&product%3Adest=CHECKOUT&system_request_session=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYm
...[SNIP]...

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: JSF/1.2
Set-Cookie: JSESSIONID=814FD1DA84752AF7872A6197C210F629;Path=/richardsonsoftware;Version=1;
Set-Cookie: SessionData=SUQJbWwzZktRUFlSb21qbUY2MFY3cU9UZwpHTG9jYWxlCWVuX1VTX1VTRAo0ZTkyM2MzYy1hMDg4LTRiYWEtYmZmZS01Mzg5OWM5ODNkYTU6U1NDdHhJZAkyN2UxN2EyYy0yNzczLTQ4OTEtYjA1OC1hMWUyNjAwZTRjMjI;Path=/richardsonsoftware;Version=1;
Location: https://sites.fastspring.com/richardsonsoftware/order/customer;jsessionid=814FD1DA84752AF7872A6197C210F629?csid=169025
Content-Length: 0
Date: Sun, 20 Mar 2011 13:58:11 GMT

1.10. https://ssl.myyearbook.com/login previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://ssl.myyearbook.com
Path:	/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
COOK_LOGIN=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=ssl.myyearbook.com
COOK_LOGIN=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
COOK_INDICATOR=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
COOK_USERNAME=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
COOK_USERID=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /login HTTP/1.1
Host: ssl.myyearbook.com
Connection: keep-alive
Referer: http://www.myyearbook.com/
Cache-Control: max-age=0
Origin: http://www.myyearbook.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mybRegTheme=hbl; mybRegData=%5B%5D; POSTAff2Cookie=HBL; MYB_TARGET=_unknown_1000_____; __gads=ID=f3640abbd1b1cdb3:T=1300624489:S=ALNI_MbrX_Emgz4sKka8nHjyRqG1O3ly8w; __utmz=138725551.1300624490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=138725551.528389796.1300624489.1300624489.1300624489.1; __utmc=138725551; __qca=P0-193244728-1300624490343; PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3
Content-Length: 61

username=Email&password=&submit.x=25&submit.y=13&quicklogin=1

Response

HTTP/1.1 302 Found
Date: Sun, 20 Mar 2011 13:36:17 GMT
Server: Apache
Set-Cookie: PHPSESSID=fdf70e60bc7204869a6429bf4a1984b3; path=/; domain=.myyearbook.com
Set-Cookie: COOK_LOGIN=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=ssl.myyearbook.com
Set-Cookie: COOK_LOGIN=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
Set-Cookie: COOK_INDICATOR=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
Set-Cookie: COOK_USERNAME=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
Set-Cookie: COOK_USERID=deleted; expires=Sat, 20-Mar-2010 13:36:16 GMT; path=/; domain=.myyearbook.com
Location: http://www.myyearbook.com/?mysession=cmVnaXN0cmF0aW9uX3JlZ2lzdHJhdGlvbiZyZWZlcnJlcj0wJm9sZD0xJmxvZ2luX2ZhaWx1cmU9dHJ1ZSZlbWFpbElkPWVtYWls
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
X-MyPoolMember: 10.10.10.75

1.11. https://www.drivenissanleaf.com/Event/ previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.drivenissanleaf.com
Path:	/Event/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

ASP.NET_SessionId=4huocw55yrsk3d45jf2axi55; path=/; HttpOnly

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Event/ HTTP/1.1
Host: www.drivenissanleaf.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62979
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
p3p: CP="CAO PSA OUR"
Set-Cookie: ASP.NET_SessionId=4huocw55yrsk3d45jf2axi55; path=/; HttpOnly
Date: Sun, 20 Mar 2011 13:59:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00_Head1"><ti
...[SNIP]...

1.12. https://www.facebook.com/login.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.facebook.com
Path:	/login.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

datr=VV5oTas0hG1hzk6eclVNNMGO; expires=Tue, 19-Mar-2013 13:59:31 GMT; path=/; domain=.facebook.com; httponly
lsd=sP6uX; path=/; domain=.facebook.com
reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /login.php HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: gz=1; datr=VV5oTas0hG1hzk6eclVNNMGO; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Donline.wsj.com%26placement%3Drecommendations%26extra_1%3Dhttp%253A%252F%252Fonline.wsj.com%252Fhome-page%26extra_2%3DUS;

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=VV5oTas0hG1hzk6eclVNNMGO; expires=Tue, 19-Mar-2013 13:59:31 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=sP6uX; path=/; domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2Flogin.php; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.43.143.81
X-Cnection: close
Date: Sun, 20 Mar 2011 13:59:31 GMT
Connection: close
Content-Length: 15659

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

1.13. https://www.riftgame.com/en/products/index.php previous

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.riftgame.com
Path:	/en/products/index.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

region_pref=deleted; expires=Sat, 20-Mar-2010 14:00:09 GMT; path=/; domain=.riftgame.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /en/products/index.php HTTP/1.1
Host: www.riftgame.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 14:00:10 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: PHP/5.2.10
Set-Cookie: region_pref=deleted; expires=Sat, 20-Mar-2010 14:00:09 GMT; path=/; domain=.riftgame.com
Set-Cookie: locale_pref=en; expires=Tue, 19-Apr-2011 14:00:10 GMT; path=/; domain=.riftgame.com
Set-Cookie: _ctia=1; expires=Tue, 19-Apr-2011 14:00:10 GMT; path=/; domain=.riftgame.com
Keep-Alive: timeout=15
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 23553

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>RIFT - Products</title>
<meta co
...[SNIP]...

Report generated by XSS.CX at Sun Mar 20 09:14:28 CDT 2011.