3 Replies Latest reply on Jun 12, 2018 12:47 AM by Anusha Varadarajan

    SSL cookie without secure flag set - & Ruby code injection

    surendra malluri


      One of my Customer done Security testing after Tableau Server Installed successfully and they found few issues on Security.


      These are few things they raised to fix, did any one face these kind of Security issues ever?


      please post your suggestions on each one.


      1. SSL cookie without secure flag set -

      If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.


      2. Ruby code injection

      Issue detail

      The Referer HTTP header & cookie appears to be vulnerable to Ruby code injection attacks. The submitted value appears to be placed into a dynamically evaluated Ruby statement, within a single-quoted context.

      - /vizportal/api/web/v1/getSessionInfo

        - /vizportal/api/web/v1/getSessionInfo


      3 .Cookie without HttpOnly flag set


      If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.


      4.Strict transport security not enforced

      Issue description

        The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. This attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link to the site from an HTTP page, their browser never attempts to use an encrypted connection. The sslstrip tool automates this process.


      Cacheable HTTPS response


      Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time



      Surendra M.