Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

cookie without secure flag - different issues

Robin Wood Mar 20, 2017 10:26AM UTC

Can you explain the difference in these two issue which have both been flagged on the same site?

Issue:  SSL cookie without secure flag set
Severity:  Medium
Confidence:  Firm
Host:  https://abc
Path:  /

Set-Cookie: ASP.NET_SessionId=054nklywi05mesavwtc3g4ck; path=/; HttpOnly


Issue:  SSL cookie without secure flag set
Severity:  Information
Confidence:  Certain
Host:  https://abc
Path:  /login.aspx

Set-Cookie: .ASPXAUTH=686...3E29CB0; path=/; HttpOnly

They are both from different pages but both for cookies which obviously don't have the secure flag. Why is one Informational and one Medium? And what is the difference between Firm and Certain?

It doesn't really make a difference in this instance but if there are other findings which are sometimes logged as info and sometimes as more serious then it might trip some people up.


Dafydd Stuttard Mar 20, 2017 11:45AM UTC Support Center agent

Burp tries to identify session tokens in cookies, and it looks like in this case it is deciding that one of the cookies does contain a session token, but it isn’t sure about the other.

The (apparent) session token is reported with medium severity (and firm confidence, since we might be wrong about it being a session token) while the other token is reported as information only (and therefore certain confidence).


Post Your public answer

Your name
Your email address
Answer