forked from mobb-dev/rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnodejs-express-cookie-parser-cookie-not-httponly-no-options.yml
52 lines (52 loc) · 1.87 KB
/
nodejs-express-cookie-parser-cookie-not-httponly-no-options.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
rules:
- id: nodejs-express-cookie-parser-cookie-not-httponly-no-options
patterns:
- pattern-either:
- pattern-inside: |
$MODULE = require('cookie-parser');
...
- pattern-inside: |
import $MODULE from 'cookie-parser';
...
- pattern-inside: |
import * as $MODULE from 'cookie-parser';
...
- pattern-either:
- pattern-inside: |
$EXP = require('express');
...
- pattern-inside: |
import $EXP from 'express';
...
- pattern-inside: |
import * as $EXP from 'express';
...
- pattern-inside: |
$APP = $EXP();
...
- pattern-inside: |
$APP.use($MODULE);
...
- pattern-inside: |
$APP.$METHOD(..., function $FUNC($REQ, $RES, ...) {...})
- pattern: |
$RES.cookie('$TOKEN', '$VALUE');
- metavariable-pattern:
metavariable: $METHOD
pattern-regex: (get|post|put|head|delete|options)
fix: |-
$RES.cookie('$TOKEN', '$VALUE', {httpOnly: true});
message: >-
When setting cookies in the response for the user, you should add the 'httpOnly' attribute in the options in order for the cookie to be secure.
'httpOnly' cookies are not accessible from the Javascript code that runs in the browser, whereas regular non 'httpOnly' cookies are.
Normally, a user would want their cookies inaccessible from the code in the browser as this makes XSS vulnerabilities harder to exploit by attackers.
metadata:
owasp: 'A05:2021 - Security Misconfiguration'
cwe: "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
category: security
technology:
- express
severity: WARNING
languages:
- javascript
- typescript