After successful login JSessionID is exposed as a Get Parameter

Sarath J shared this question 4 years ago
Answered

Hello,


We were running a security scan as part of the vulnerability test. The scan report has identified an issue that the JSESSIONID is passed as a Get Parameter instead of a Post.


Scan Results are as below


Medium: Placing tokens into the URL increases the risk that they will be captured by an attacker.


Low: An attacker would need to get access to a URL where the token was leaked.


Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed


Request: GET /reporting/login.i4;jsessionid=177C4C8C37EDE8A151A263C7E69909A4


Fix/Workaround:

The application should use the POST method to submit tokens or use Cookies instead.


Are there any settings in Yellowfin using which we can control this behaviour. Is there any way we can configure Yellowfin to pass the JSessionID as a post parameter instead to a sending it as a Get Parameter.

Comments (14)

photo
1

Hello Sarath,


Is this issue being detected on the login.i4 page or on the initial splash page?

Are you using a custom login page?


The jsessionid is an "at time" generated ID used only to keep track of the user and it's connection (for validation).

It doesn't offer any way for an attacker to get into the system as it still requires a username and password to have been authenticated.


If you are using a custom login page, it is possible to change the "method" of the form submission from "GET" to "POST".


I look forwards to hearing from you soon!

Best regards,

Pete

photo
1

Hello Pete,


We are not using any custom login, page. We are using the Yellowfin login page itself.


regards,

Sarath

photo
1

Hi Sarath,

I have been looking into this a little further for you.

This is a tomcat generated ID that is used for cookies - unfortunatley Yellowfin doesn't have any direct control over it, however, I have discovered a way of forcing tomcat to use POST (more secure)

If you find you're web.xml file inside yellowfin:

[yellowfin install path]/appserver/webapps/ROOT/WEB-INF/web.xml

and add the following snippet into just inside the <web-app> tag at the top of the file:

<session-config>

<cookie-config>

<http-only>true</http-only>

<secure>true</secure>

</cookie-config>

</session-config>

so it should look like this:

/7MHEpCWucNgAAAABJRU5ErkJgggA=

This should force tomcat to use it's secure methodand should then pass your testing.

Please make sure you backup your web.xml file before editing! You will need to stop and start the yellowfin service for this change to take effect.

Please let us know how you get on!

Best regards,

Pete

photo
1

Hello Pete,


Retested this after making the changes as per your suggestion. Find the attached image.


5b27241721556821bb55263c215a5ad6


the JSessionID field is still getting recorded. And the value is available to the external users.


regards,

Sarath

photo
1

Hello Sarath,


The JSessionID parameter should only be passed as a GET if cookies are disabled on the local system.

Is this the case for this client machine (where you are running the testing from)

Do your users have cookies disabled?


Best regards,

Pete

photo
1

Hello Pete,


No we did not disable any cookies on the client machine.


regards,

Sarath

photo
1

Hi Sarath,


I have tested and confirmed that the cookies functionality is working correctly. I have attached 2 videos to demonstrate this to you.

The first video, "Cookies_disabled_in_Tomcat_and_Yellowfin.mp4", shows that when I have disabled cookies in both Yellowfin and Tomcat then the JSessionID is shown in the URL.

The second video shows how to enable cookies in both Tomcat and Yellowfin:

1) Admin -> Configuration -> System -> General Settings -> External API cookie timeout (0 = disabled, any value greater than 0 means enabled)

2) Run the following query against the YF DB:

UPDATE Configuration

SET ConfigData='YES'

WHERE ConfigCode='LOGONCOOKIE'

3) Open the file <Yellowfin home>\appserver\conf\Catalina\localhost\ROOT.xml and add

cookies="true"

to the Context.


and then it demonstrates that the JSessionID no longer appears in the URL.


Could you please take a minute to watch the video and then confirm that the above 3 steps have been performed on your Yellowfin and let me know if that resolves the issue.


regards,

Big Dave

photo
1

Hello Dave,


Thanks for the detail steps, we have followed all the steps as mentioned. But still the JSESSIONID information is getting recorded in the the Network Monitor, Please refer to the attached screenshot.


regards,

Sarath

photo
1

Hi Sarath,


I am sorry but now I am getting confused....in your latest screenshot we can see the JSessionID getting passed using the POST method instead of using the GET method...and that was what you wanted in the beginning of this thread: "Is there any way we can configure Yellowfin to pass the JSessionID as a post parameter instead to a sending it as a Get Parameter?" Could you please confirm the issue at hand?


regards,

Big Dave

photo
1

Hello Dave,


I understand you comment. But when you run a network profiler or fiddler we are able to see the JSESSIONID as part of the out-going url. Please refer to the above screen shot you will observe that the JSESSIONID is also being recorded as part of the out-going url. We want to know if we can configure the attribute JSESSIONID to not be part of any URL getting generated from the Client Side to the Yellowfin server.


regards,

Sarath

photo
1

Hi Sarath,


OK, I think I know what's going wrong....you are using HTTPS but you configured your web.xml with <http-only>true</http-only>

Please make sure that you change it to <http-only>false</http-only>, restart Yellowfin and then let me know if that gets the result you want.

I have just tested this out and it works for me:


2a8332e801f89ba8c785cb93a776b838


regards,

Big Dave

photo
1

Hi,


We did all the changes as you suggested but we still see JsessionId in URL.

I have discussed with Sarath and we need a proper solution for this.

If you need i can send you more details with screen shots taken from fiddler.

Please let me know but we need this urgently as its Business critical.


Thanks,

Mansi Sharma.

photo
photo
1

Hi Mansi,


I've been playing around with cookies and browsers over here and I've been able to reproduce the issue you are experiencing. What I've found is that the issue is caused by Internet Explorer and it is to do with IE not consistently following the Privacy settings (Tools->Internet Options), for example, if I change the Privacy settings from Block All Cookies to Accept All Cookies, sometimes IE still blocks all cookies, even if I restart the browser it still blocks all cookies, but then sometimes IE follows the Privacy setting change straight away without even having to restart the browser.


So, could you please use Firefox or Chrome and see if that resolves the issue of JSessionID being displayed in the URL? (of course, make sure that they are configured to accept cookies.)

Please let me know how this goes.


regards,

Big Dave

photo
1

Hi Sarath and Mansi,


I'm just going through my work list and checking up on things and I noticed that you haven't responded to this for a month so I'm asking whether you would like this ticket to be closed now?


regards,

David

photo
1

Hi Sarath and Mansi,

it's been 2 weeks since my last communication about the status of this ticket and there has been no response, so I'm going to close it, however if you feel that is incorrect then just respond and then the ticket will re-open and appear back on my worklist.

regards,

David