I was using wireshark and expecting to see a JSESSIONID in a HTTP request, but it did not seem to be there for HTTP requests. I could see my own JSESSIONID however. Would upgrade-insecure-requests help protect a query string form sniffing?
Asked
Active
Viewed 597 times
2 Answers
1
I was using wireshark and expecting to see a JSESSIONID in a HTTP request, but it did not seem to be there for HTTP requests. I could see my own JSESSIONID however.
JSESSIONID is a cookie that is usually flagged with the "secure" and "no script" flags. The "secure" flag tells compliant browsers to not send that cookie over HTTP, only HTTPS.
Would upgrade-insecure-requests help protect a query string form sniffing?
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response... more: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
If the server receives the request with Upgrade-Insecure-Requests: 1 it can redirect the client that expressed the preference for secure requests to the HTTPS version of the site.
IN GENERAL:
Query string is part of the URL in the request. The URL appears in the request line of the HTTP request:
GET /some/url?a=b HTTP/1.1
To protect it from sniffing you need SSL/TLS that establishes a secure TCP session before sending data and then encrypts the communication/data.
Mindaugas Bernatavičius
- 345
- 1
- 2
- 7
-
But If I have only HTTP on my site, the cookie willl have to be sent in HTTP ? Or does this happen only if you emit the cookie from HTTPS first ? – Walfrat Apr 19 '17 at 15:25
-
The cookie will not be sent over HTTP, the "secure" flag will prevent that. But you can set the cookie over plain HTTP. set-cookie header can be sent over HTTP, even if the cookie it is setting has the secure flag. More on this: https://security.stackexchange.com/questions/140940/can-a-secure-cookie-be-set-from-an-insecure-http-connection-if-so-why-is-it-al – Mindaugas Bernatavičius Apr 19 '17 at 19:47
0
First of all using HTTP to transmit sensitive data is not a good idea whether you use query strings or any other mechanism because you are vulnerable in many ways. Even if you are using HTTPS, there are many aspects you need to consider when you are deploying.
protect a query string
I think you are concern about attacks such as XSS and SSRF here ? If you are using data in query string you must perform data sanitation , URL encoding and most importantly server side data validation as well before you process your data.
user3496510
- 1,277
- 2
- 13
- 26
-
I changed the question. Mainly focused on sniffing attacks. Can the JSESSIONID not be sniffed using HTTP? – user146116 Apr 19 '17 at 12:36
-
Anything going on HTTP can be sniffed without knowing to the user. Check sslstrip as a MiTM attack. – user3496510 Apr 19 '17 at 12:40