Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite has reported about use of Permanent or persistent cookies on client machine.

Sai | Last updated: Mar 27, 2018 02:20PM UTC

Burp Suite has reported about use of Permanent or persistent cookies on client machine. Should we stop using them? What are the alternatives available?

PortSwigger Agent | Last updated: Mar 27, 2018 02:22PM UTC

Hi Sai, Thanks for getting in touch. Could you please include a screenshot of the issue as I'm not quite sure which issue you mean.

Burp User | Last updated: Mar 27, 2018 02:55PM UTC

Thanks Paul, Please find the issue description below: Description: Sensitive session information such as user credentials or session tokens are stored in a permanent cookie on the client's computer. Permanent (Persistent) cookies are data that a web site presents to the client's web browser, tagged with an expiration date that typically results in the client browser persisting the cookie on local storage (e.g., the hard disk). This data will remain onthe user's system and can be accessed by the site the next time the user browses the site, even across browser sessions.Sensitive information stored in persistent cookies may be leaked to unauthorized users. If the system is shared between multiple usersor a remote attacker manages to install malware on the system, an attacker may be able to access the stored cookie and obtain access to its information. The impact to the user and the application will vary depending on the type of data stored in the persistent cookie: An attacker who gains access to sensitive session information such as user credentials and session tokens may gain access to the victim's session and impersonate that user in the application Leaking personally identifiable information about the victim may lead to identity theft Note:During the assessment, Cigital observed that the application set the few cookies,which contain sensitive information like Username. Note: This finding is systemic throughout the application. Steps To Reproduce: 1. Configure your browser to use a proxy tool such as Burp Suite. 2. Log in to the application. 3. Observe the application response in Burp history.

Liam, PortSwigger Agent | Last updated: Mar 27, 2018 02:55PM UTC

This issue is generated Cigital. This isn't produced by Burp Suite. Please let us know if you need any further assistance.

Liam, PortSwigger Agent | Last updated: Mar 27, 2018 03:09PM UTC

What is the name of the issue in Burp Suite? Have you tried the steps to reproduce the issue?

Burp User | Last updated: Mar 28, 2018 08:59AM UTC

They have used burp suite: Steps To Reproduce: 1. Configure your browser to use a proxy tool such as Burp Suite. 2. Log in to the application. 3. Observe the application response in Burp history.

Burp User | Last updated: Mar 28, 2018 09:26AM UTC

Unfortunately I don't have the issue name but it says: cookie contains sensitive information like Username and also set with Expires attribute. Steps To Reproduce: 1. Configure your browser to use a proxy tool such as Burp Suite. 2. Log in to the application. 3. Observe the application response in Burp history. 4. Note that the cookie "XXX"contains sensitive information like Username and also set with the Expires attribute.

Liam, PortSwigger Agent | Last updated: Mar 28, 2018 09:37AM UTC

This issue is by generated Cigital. This isn't produced by Burp Suite. It doesn't seem that they are suggesting that this is a Burp Suite issue. They are suggesting you use a proxy tool (such as Burp Suite) to reproduce the issue.

Burp User | Last updated: Mar 28, 2018 09:50AM UTC

No they have used Burp Suite only and in the response the cookie contains sensitive information like Username and Expires attribute. Is there any similar issue reported by Burp Suite which talks about disclosure of sensitive information and expiry date by cookies?

Liam, PortSwigger Agent | Last updated: Mar 28, 2018 10:04AM UTC

You can use Burp Suite to test for sensitive data exposure: - https://support.portswigger.net/customer/portal/articles/1965730-Methodology_Sensitive%20Data%20Exposure.html There is a scanner check for password value set in cookies: - https://portswigger.net/kb/issues/00500900_password-value-set-in-cookie

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.