Liff app vulnerability. How the resolve?

Pre condition, Condition to reproduce

During the Line login authentication, the session cookie does not contain the "HTTPOnly" attribute. That is viewed as the vulnerability, which could lead to user impersonation or compromise of the application account. Based on Qualys Scan service, these cookies are optOutEnabled, try, _trmccid, LIFF_STORE:expires:1599769198-yldV7xRg, __is_login_sso, _trmcdisabled2, _trmcpage, _trmcsession, _trmcuser

Resolution Tried

By using “add_header” directive An easy way to set cookie flag as HTTPOnly and Secure in Set-Cookie HTTP response header. Take a backup of the necessary configuration file and add the following in nginx.conf under http block.

add_header Set-Cookie "Path=/; HttpOnly; Secure"; Restart Nginx to verify the results

***. Not successful. The vulnerabilty still persist. ***

Reference information (Version / Platform/ environment)

All web and mobile environment.

  • 0
  • 0
  • 441
  • twitter facebook



本当によろしいですか? question.vm