Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| void connect(HttpServletRequest req){ | ||
| javax.servlet.http.Cookie cook = new Cookie("cookie"); | ||
| cook.setSecure(false); | ||
| javax.servlet.http.Cookie cook = new Cookie("cookie"); //another comment |
There was a problem hiding this comment.
Cookie created without HttpOnly flag
File: main.java | Checkov ID: CKV3_SAST_16
Description
CWE: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
OWASP: A05:2021-Security Misconfiguration
This policy is targeting the creation of HTTP cookies without the "HttpOnly" flag in Java code. The HttpOnly flag is an important security feature that prevents client-side scripts from reading the contents of the cookie. When this flag is not set, it could potentially lead to disclosure of the cookie's contents in the event of a Cross-Site Scripting (XSS) attack.
Here's an example of violating code:
import javax.servlet.http.Cookie;
public class CookieHandler {
public void createCookie(String name, String value) {
Cookie cookie = new Cookie(name, value);
// Other code
}
}In this example, a new cookie is created with a provided name and value, but the HttpOnly flag is not set.
| void connect(HttpServletRequest req){ | ||
| javax.servlet.http.Cookie cook = new Cookie("cookie"); | ||
| cook.setSecure(false); | ||
| javax.servlet.http.Cookie cook = new Cookie("cookie"); //another comment |
There was a problem hiding this comment.
Cookie created without Secure flag set
File: main.java | Checkov ID: CKV3_SAST_19
Description
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP: A05:2021-Security Misconfiguration
The policy addresses the issue of creating and setting cookies without the Secure flag. The Secure flag is a directive for the browser, indicating that the cookie should only be sent over secure (HTTPS) connections. If the Secure flag is not set, the cookie may be sent over insecure (HTTP) connections, potentially exposing sensitive information in an environment vulnerable to eavesdropping.
A violating code example could be:
import javax.servlet.http.Cookie;
public class CookieCreator {
public void createCookie(javax.servlet.http.HttpServletResponse response) {
Cookie myCookie = new Cookie("name", "value");
// The cookie is being created without the Secure flag.
response.addCookie(myCookie);
}
}In the above code, a new cookie is being created and added to the HTTP response without setting the Secure flag, thus violating the policy.
| javax.servlet.http.Cookie cook = new Cookie("cookie"); | ||
| cook.setSecure(false); | ||
| javax.servlet.http.Cookie cook = new Cookie("cookie"); //another comment | ||
| cook.setSecure(false); //and another |
There was a problem hiding this comment.
Cookie created without Secure flag set
File: main.java | Checkov ID: CKV3_SAST_19
Description
CWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP: A05:2021-Security Misconfiguration
The policy addresses the issue of creating and setting cookies without the Secure flag. The Secure flag is a directive for the browser, indicating that the cookie should only be sent over secure (HTTPS) connections. If the Secure flag is not set, the cookie may be sent over insecure (HTTP) connections, potentially exposing sensitive information in an environment vulnerable to eavesdropping.
A violating code example could be:
import javax.servlet.http.Cookie;
public class CookieCreator {
public void createCookie(javax.servlet.http.HttpServletResponse response) {
Cookie myCookie = new Cookie("name", "value");
// The cookie is being created without the Secure flag.
response.addCookie(myCookie);
}
}In the above code, a new cookie is being created and added to the HTTP response without setting the Secure flag, thus violating the policy.
1 participant
No description provided.