/
cookie_missing_http_only.yml
95 lines (90 loc) · 3.43 KB
/
cookie_missing_http_only.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
patterns:
- pattern: $<SET_COOKIE>;
filters:
- variable: SET_COOKIE
detection: php_lang_cookie_missing_http_only_setcookie
scope: cursor
- not:
variable: SET_COOKIE
detection: php_lang_cookie_missing_http_only_using_options
scope: cursor
- not:
variable: SET_COOKIE
detection: php_lang_cookie_missing_http_only_httponly
scope: cursor
- pattern: $<FUNCTION>($<_>, $<_>, $<OPTIONS>)
filters:
- variable: FUNCTION
values:
- setcookie
- setrawcookie
- variable: OPTIONS
detection: php_lang_cookie_missing_http_only_array
scope: cursor
- not:
variable: OPTIONS
detection: php_lang_cookie_missing_http_only_httponly_option
scope: cursor
auxiliary:
- id: php_lang_cookie_missing_http_only_setcookie
patterns:
- pattern: $<FUNCTION>()
filters:
- variable: FUNCTION
values:
- setcookie
- setrawcookie
- id: php_lang_cookie_missing_http_only_httponly
patterns:
- pattern: $<_>($<_>, $<_>, $<_>, $<_>, $<_>, $<_>, $<HTTP_ONLY>$<...>)
filters:
- variable: HTTP_ONLY
detection: php_lang_cookie_missing_http_only_true
scope: cursor
- pattern: |
$<_>(httponly: $<TRUE>)
filters:
- variable: "TRUE"
detection: php_lang_cookie_missing_http_only_true
scope: cursor
- id: php_lang_cookie_missing_http_only_using_options
patterns:
- pattern: $<_>($<_>, $<_>, $<OPTIONS>)
filters:
- variable: OPTIONS
detection: php_lang_cookie_missing_http_only_array
scope: cursor
- id: php_lang_cookie_missing_http_only_true
patterns:
- pattern: "true;"
- id: php_lang_cookie_missing_http_only_array
patterns:
- pattern: array();
- id: php_lang_cookie_missing_http_only_httponly_option
patterns:
- pattern: array('httponly' => $<SECURE>)
filters:
- variable: SECURE
detection: php_lang_cookie_missing_http_only_true
scope: cursor
languages:
- php
metadata:
description: Missing HTTP Only option in cookie configuration
remediation_message: |-
## Description
Not setting the "httponly" attribute to "true" in cookie configurations leaves the cookie vulnerable to being accessed by client-side JavaScript. This oversight can lead to the exposure of cookie values, especially on websites susceptible to Cross-Site Scripting (XSS) attacks. Enabling "httponly" is a critical step in preventing malicious scripts from reading the cookie values through JavaScript.
## Remediations
- **Do** set the `httponly` attribute to `true` in your cookie configurations. This action prevents client-side scripts from sending or accessing the cookie, enhancing your application's security against XSS attacks.
```php
setcookie("name", "value", httponly: true);
```
## References
- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
- [OWASP Cookies Properties](https://owasp.org/www-community/controls/SecureCookieAttribute)
cwe_id:
- 1004
id: php_lang_cookie_missing_http_only
documentation_url: https://docs.bearer.com/reference/rules/php_lang_cookie_missing_http_only
cloud_code_suggestions: true
severity: medium