Detections
Analytics

Express.js Cookie-Session Weak Secret Key

high Web App Scanning Plugin ID 114439

Language:

Synopsis

Express.js Cookie-Session Weak Secret Key

Description

Express.js applications with Cookie-Session use an application key to encrypt and sign various data, including session cookies and other sensitive information. This key is typically stored in an environment variable and is used for multiple security-critical operations.

When a weak or easily guessable application key is used, it compromises the security of the entire application. Attackers can potentially decrypt sensitive data, forge valid session cookies, or even execute remote code in some scenarios.

Solution

The secret key used to sign the cookies in the application must be stronger (long and random) to prevent it from being retrieved with a bruteforce attack.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

https://expressjs.com/en/resources/middleware/cookie-session.html

Plugin Details

Severity: High

ID: 114439

Type: remote

Published: 9/24/2024

Updated: 10/3/2024

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: High

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information