Description

This web application is configured to use forms authentication but has the forms property protection set to a value that is not All (the default value is All). The All value is the recommended value for this property as this protection mode will both encrypt and validate the forms authentication cookie.

Remediation

It's recommended to set the forms property protection to All. 

<authentication mode="Forms">
  <forms ... protection="All" />
</authentication>

References

FormsAuthenticationConfiguration.Protection

Related Vulnerabilities

Web server default welcome page

JBoss JMX Console Unrestricted Access

ASP.NET expired session IDs are not regenerated

Spring Misconfiguration: HTML Escaping disabled

Atlassian Jira insecure REST permissions

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration