Session Fixation vulnerability

Dear Outsystems,


Myself Janarthanan and from FICO .

We are using Outsystems version 9.1.616.0 for one our client . we have performed security scan and it reports one vulnerability.

 

Vulnerability description 

“WebInspect monitored multiple login sessions and did not observe any of the cookie values change on authentication. Inspected cookies include:
 OSSESSIONID osVisitor osVisit pageLoadedFromBrowserCache”


the “Session Fixation” vulnerability, the scanning tool is reporting an issue with the static values in the Cookies, especially the OSSESSIONID cookie attribute, where it’s value isn’t changing upon login.


Note :  I read in outsystems forum(below link) that OSSESSIONID is set by outsystems (for java).

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Cookie_Usage_in_Web_Applications


More questions .

1. OSSESSIONID cookie is generated each time when user login uniquely?.

2.  OSSESSIONID cookie is generated uniquely and sequence? 


Kindly help me in this .


Thanks and Reagrds

Janarthanan

Solution

Hi Janarthanan,


I can't answer your two last questions. Regarding the vulnerability you can find, in the following link, how to protect your apps.

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications/02_Protecting_OutSystems_apps_from_authentication_vulnerabilities


Also notice that starting with version 10.0.405.0 the platform already includes built-in protection against session fixation 


Ivo

Solution

Ivo's answer is the right answer (and I have marked as solution). In addition, this is a topic that we at FICO see on *every* scan we do, I don't know why this wasn't answered internally with the correct answer.

J.Ja

Ivo Gonçalves wrote:

Hi Janarthanan,


I can't answer your two last questions. Regarding the vulnerability you can find, in the following link, how to protect your apps.

https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/How_OutSystems_Platform_helps_you_develop_secure_applications/02_Protecting_OutSystems_apps_from_authentication_vulnerabilities


Also notice that starting with version 10.0.405.0 the platform already includes built-in protection against session fixation 


Ivo

Hi Ivo,


Thanks for the immediate response . It helps . I also have one more query .

We have environments like Dev,INT and STG for that client . We have scanned all three environments and this   vulnerability identified only in the STG and not identified in the Dev and INT .

If you have any idea about that why its not identified in the Dev and INT lease let us know .


Thanks

Jana