# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|QueryStrings from HAR file|HAR File|OWASP|Ensure that there is no session tokens present in the URL.|

```
RecomendedEvidenceName: VerifySessionTokenIsNotPresentInURL
```



# Step 2: Define the System Specific Data


In [None]:
{
    "Host": "example.com",
    "URL": "https://example.com/page1?param1=value1&param2=value2",
    "Status": "Failed",
    "StatusDescription": "<<TOKEN>> is repeating in query parameter and value seems like JWT token - Query name: 'token2'",
    "Remediation": "Move 'token2' to header"
},

# Step 3: Define the Standard Schema
    

In [None]:
[
    {
        # Meta
        "System": "example.com",
        "Source": "compliancecow",

        # Resource info
        "ResourceID": "https://example.com/page1?param1=value1&param2=value2&token=<<TOKEN>>",
        "ResourceName": "N/A",
        "ResourceType": "N/A",
        "ResourceLocation": "N/A",
        "ResourceTags": "N/A",

        # Data
        "Host": "example.com",
        "QueryName": "token",
        "Status": "Failed",
        "Remediation": "Move 'token' to header",

        # Compliance details
        "ValidationStatusCode": "JWT_TOKEN_FOUND",
        "ValidationStatusNotes": "<<TOKEN>> is repeating in query parameter and value seems like JWT token - Query name: 'token'",
        "ComplianceStatus": "NON_COMPLIANT",
        "ComplianceStatusReason": "<<TOKEN>> is repeating in query parameter and value seems like JWT token - Query name: 'token'",
        "EvaluatedTime": "2024-02-28T09:56:39.833321Z",

        # User editable data
        "UserAction": "",

        # Action editable data
        "ActionStatus": "",
        "ActionResponseURL": ""
    },
]

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceTags|Host|QueryName|Status|Remediation|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|HAR File|compliancecow|https://example.com/page1?param1=value1&param2=value2&token=[TOKEN]|N/A|N/A|N/A|N/A|example.com|token|Failed|Move 'token' to header|JWT_TOKEN_FOUND|[TOKEN] is repeating in query parameter and value seems like JWT token - Query name: 'token'|NON_COMPLIANT|[TOKEN] is repeating in query parameter and value seems like JWT token - Query name: 'token'|2024-02-28T09:56:39.833321Z||||
|HAR File|compliancecow|https://example.com/page1?param1=value1&param2=value2&api=[KEY]|N/A|N/A|N/A|N/A|example.com|api|Failed|Move 'api' to header|API_KEY_FOUND|[KEY] is repeating in query parameter and value seems like API key - Query name: 'api'|NON_COMPLIANT|[KEY] is repeating in query parameter and value seems like API key - Query name: 'api'|2024-03-01T15:04:39.620830Z||||
|HAR File|compliancecow|https://example.com/page2?param3=value3|N/A|N/A|N/A|N/A|example.com|param2|Passed|N/A|NO_TOKEN_FOUND|No tokens were found|COMPLIANT|No tokens were found|2024-03-01T15:04:39.620830Z||||

# Step 4: Describe the Compliance Taxonomy

|Compliance Status Code|Compliance Status|Compliance Status Reason|
|---|---|---|
|TOKEN_NOT_FOUND|COMPLIANT| No session tokens were found|
|GUID_TOKEN_FOUND|NON_COMPLIANT| [token] is repeating in query parameter and value seems like session token(uuid)|
|JWT_TOKEN_FOUND|NON_COMPLIANT| [token] is repeating in query parameter and value seems like jwt token|
|API_KEY_FOUND|NON_COMPLIANT| [token] is repeating in query parameter and value seems like API key|

# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage
CompliancePCT = (100 - (Count of 'NON_COMPLIANT' records * 100) / Total records)

# Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0%>=status<100%
NOT_DETERMINED - If integrity is missing on all records

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

FOR NOT_DETERMINED : UNKNOWN

FOR COMPLIANT : None

For NONCOMPLIANCE:

If Compliance Cow needs to notify the client, the following message can be sent via slack or ticket raised in JIRA:


To ensure that no data is compomised, make sure that all of the session tokens, authentication keys, etc are sent through the header

# Step 7. Control Setup Details

| Control Details            |                                               |
|----------------------------|-----------------------------------------------|
| **RuleName**               | VerifySessionTokenIsNotPresentInURL           |
| **PreRequisiteRuleNames**  | N/A                                           |
| **ExtendedSchemaRuleNames**| N/A                                           |
| **ApplicationClassName**   | privacybisonconnector                         |