Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Not A Bug
-
1.2.0, 1.3.0
-
None
-
None
Description
It is possible for an attacker to directly steal user session information by having a user visit or load a URL using Knox, as cookies are forwarded in the header on the outbound request. This behavior doesn't seem to serve any particular function either, as the endpoint Knox tries to contact shouldn't need any authentication by Knox. We suggest that user-Knox cookies should be omitted from the outbound request.