cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UEM JS Agent: How to change the vulnerable path field in dtCookie?

We are using dynatrace 6.5 to instrument android app for which the application security team has raised security concern for the Set-Cookie Path field as shown in the snapshot. I am not aware much how to control settings in Dynatrace to change this Path. Can you pl. suggest?

9 REPLIES 9

Any help ? @Andreas G. @Babar Q. @Dave M.

I think this 'path=/' setting is auto-generated within the bootstrap or initcode js.

BabarQayyum
Leader

Hello Rajesh,

When we generate an 'inicode' with the REST API then a dynamic kind of JS generated. The purpose of this that we can change the featurehashes over the fly and it will be apply without replacing the index.html script tag again and again like in the past.

Below code is an example of a generated initcode where we can see the path=/ before domain + function etc..

a+'="";path=/'+(d.domain?";domain="+d.domain:"")+"; expires=Thu, 01-Jan-70 00:00:01 GMT;"}function E(a){a=encodeURIComponent(a);var b=[];if(a)for(var c=0;c<a.length;c++){var k=a.charAt(c),d=X[k];d?l(b,d):l(b,k)}return b.join("")}function F(a,b,c){b||0==b?(b=(""+b).replace(/[;\n\r]/g,"_"),b="DTSA"===a.toUpperCase()?E(b):b,a=a+"="+b+";path=/"+(d.domain?";domain="+d.domain:""),c&&(a+=";expires="+c.toUTCString()),document.cookie=a):D(a)}function r(a){var b,c,k,d=document.cookie.split(";");for(b=0;b<d.length;b++)if(c=

I believe security should not have any issue with this because in the beginning of the line it is clearly mentioned dtcookie.

Regards,

Babar

dave_mauney
Dynatrace Champion
Dynatrace Champion

Hi Rajesh,

My guess is that changing the path of the JS or the monitor signal would affect the Path set by the cookie.

What is the security concern? It should not be a secret that the root path exists for a web site or am I missing something?

Thanks,

dave

Hi Dave,

I have just tried this actually and the path didn't change when I don't serve the agent from the root. No matter what I did, the cookie path remained on /.

Flo

Ok, and what is the security concern with the Path=/?

Thanks Dave. I have asked the for clarification regarding this. Will keep posted here. Regards, Rajesh. @Babar Q.

Hello @Dave M.,

I have got the replay from the security team. Here is an excerpt for this:

Just as with the domain attribute, if the path attribute is set too loosely, then it could leave the application vulnerable to attacks by other applications on the same server. For example, if the path attribute was set to the web server root "/", then the application cookies will be sent to every application within the same domain.

Is there way to control the path attribute for stricter path at Agent side or Dt Server side?

Kindly let us know.

@Florent D. @Andreas G.

Hi Rajesh,

Thanks for the explanation of the security concern. Sorry, I have no ideas on how to modify the path. Maybe someone else will...

Thanks,

dave

Hi Dave, I have raised a support case here. Thanks for help.