Hi, we are running the Rasa Server and it is working fine. Customer did Nessus scan and it caught the below issue. Can please advise how to resolve or is there any justification where we can provide as exception? Below is the scan information. Thanks.
Plugin Output : The request string used to detect this flaw was : /<script>document.cookie=%22testqglm=3621;%22</script> The output was : HTTP/1.1 404 Not Found Connection: keep-alive Keep-Alive: 5 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Content-Length: 81 Content-Type: text/plain; charset=utf-8 Error: Requested URL /<script>document.cookie=“testqglm=3621;”</script> not found
Description: The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a ‘session fixation’ attack using this mechanism. Please note that :
- Nessus did not check if the session fixation attack is feasible.
- This is not the only vector of session fixation.