Description

Acunetix found a cookie which looks like a cookie with a signature (MAC). Usually, a signature is used to protect against cookie data tampering. It's very important that an attacker doesn't know a value of secret key used to sign a cookie. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of secret used with HMAC to a long random string.

References

Message authentication code

HMAC

Related Vulnerabilities

CouchDB REST API publicly accessible

Session cookies scoped to parent domain

Apache Spark Web UI Unauthorized Access Vulnerability

CodeIgniter weak encryption key

Firebase database accessible without authentication

Severity

Medium

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials