-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathCookieWithoutSecure.qhelp
More file actions
61 lines (47 loc) · 2.77 KB
/
CookieWithoutSecure.qhelp
File metadata and controls
61 lines (47 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Cookies without the <code>Secure</code> flag set may be transmitted using HTTP instead of HTTPS.
This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session
key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.</p>
</overview>
<recommendation>
<p>
When using ASP.NET Core, ensure cookies have the secure flag set by setting <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> to <code>true</code>, or
using <code>CookiePolicyOptions</code> to set a default security policy.
</p>
<p>
When using ASP.NET Web Forms, cookies can be configured as secure by default in the <code>Web.config</code> file, setting the <code>requireSSL</code> attribute to <code>true</code> in the <code>forms</code> or <code>httpCookies</code> element.
Cookies may also be set to be secure programmatically by setting the <code>System.Web.HttpCookie.Secure</code> attribute to <code>true</code>.
</p>
</recommendation>
<example>
<p>
In the example below, <code>Microsoft.AspNetCore.Http.CookieOptions.Secure</code> is set to <code>true</code>.
</p>
<sample src="secureflagcore.cs" />
<p>
In the following example, <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
</p>
<sample src="cookiepolicyoptions.cs" />
<p>
In the example below <code>System.Web.HttpCookie.Secure</code> is set to <code>true</code> programmatically.
</p>
<sample src="secureflag.cs" />
<p>
In the example below, the <code>requireSSL</code> attribute is set to <code>true</code> in the <code>forms</code> element of the <code>Web.config</code> file.
</p>
<sample src="Web.config" />
</example>
<references>
<li>ASP.NET Core docs: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.secure">CookieOptions.Secure Property</a>.</li>
<li>MDN: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header.</li>
<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110).aspx">FormsAuthentication.RequireSSL Property</a>.</li>
<li>Web Forms docs: <a href="https://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.100).aspx">forms Element for authentication</a>.</li>
<li>Web Forms docs: <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.</li>
<li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
</references>
</qhelp>