codeql/javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qhelp at 2cec8f7e9d5a4914f0e83a289fbee963ad89c4c2 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>
<overview>
<p>Failing to set the 'secure' flag on a cookie can cause it to be sent in cleartext.
This makes it easier for an attacker to intercept.</p>
</overview>
<recommendation>

<p>Always set the `secure` flag to `true` on a cookie before adding it
to an HTTP response (if the default value is `false`).</p>

</recommendation>
<example>

<p>In the first example the `secure` flag is set to `false` using the express middleware `cookie-session`.
In the second example the `secure` flag is set to `true` (it is set `false` by default for HTTP, `true` by default for HTTPS).</p>

<sample src="examples/cookie-session_bad.js" />
<sample src="examples/cookie-session_good.js" />

</example>

<example>

<p>The first four examples show four ways of adding a cookie using the express middleware `express-session`.
Since the default value for the flag `secure` is false, each example shows a possible scenario where a cookie is set with
the `secure` to `false`.
In the last example the `secure` flag is set to `true`.</p>

<sample src="examples/express-session_bad1_false.js" />
<sample src="examples/express-session_bad2_notSet.js" />
<sample src="examples/express-session_bad3_setEmpty.js" />
<sample src="examples/express-session_bad4.js" />
<sample src="examples/express-session_good.js" />

</example>

<example>

<p>The first two examples show two ways of adding a cookie using the method `response.cookie`.
In both cases the `secure` flag is to `false`.
In the last example the `secure` flag is set to `true`.</p>

<sample src="examples/express_response-cookie_bad1.js" />
<sample src="examples/express_response-cookie_bad2.js" />
<sample src="examples/express_response-cookie_good1.js" />

</example>


<example>

<p>The first example shows when the `secure` flag is set using the method `Set-Cookie` header of an `HTTP` response.
In this case the `secure` flag is not set.
In the last example the `secure` flag is set.</p>

<sample src="examples/httpserver_bad.js" />
<sample src="examples/httpserver_good.js" />

</example>

<example>

<p>In the first example the `secure` flag is set to `false` using the `js-cookie` library.
In the second example the `secure` flag is set to `true`.</p>

<sample src="examples/jsCookie_bad.js" />
<sample src="examples/jsCookie_good.js" />

</example>

<references>

<li>Production Best Practices: Security:<a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
<li>NodeJS security cheat sheet:<a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
<li>express-session:<a href="https://github.com/expressjs/session#cookiesecure">cookie.secure</a>.</li>
<li>cookie-session:<a href="https://github.com/expressjs/cookie-session#cookie-options">Cookie Options</a>.</li>
<li><a href="https://expressjs.com/en/api.html#res.cookie">express response.cookie</a>.</li>
<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
<li><a href="https://github.com/js-cookie/js-cookie">js-cookie</a>.</li>
</references>
</qhelp>