/
authtkt-cookie-secure-unsafe-default.yaml
37 lines (37 loc) · 1.38 KB
/
authtkt-cookie-secure-unsafe-default.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
rules:
- id: pyramid-authtkt-cookie-secure-unsafe-default
patterns:
- pattern-either:
- patterns:
- pattern-not: pyramid.authentication.AuthTktCookieHelper(..., secure=$SECURE, ...)
- pattern-not: pyramid.authentication.AuthTktCookieHelper(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktCookieHelper(...)
- patterns:
- pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., secure=$SECURE, ...)
- pattern-not: pyramid.authentication.AuthTktAuthenticationPolicy(..., **$PARAMS)
- pattern: pyramid.authentication.AuthTktAuthenticationPolicy(...)
fix-regex:
regex: (.*)\)
replacement: \1, secure=True)
message: >-
Found a Pyramid Authentication Ticket cookie using an unsafe default for the secure option.
Pyramid cookies should be handled securely by setting secure=True.
If this parameter is not properly set, your cookies are not properly protected and
are at risk of being stolen by an attacker.
metadata:
cwe:
- "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
owasp:
- A05:2021 - Security Misconfiguration
category: security
technology:
- pyramid
references:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: MEDIUM
languages: [python]
severity: WARNING