-
Type:
Security Hotspot Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Make sure creating this cookie without the "secure" flag is safe.
-
Default Severity:Minor
-
Impact:Low
-
Likelihood:Low
-
Default Quality Profiles:Sonar way
-
Targeted languages:C++, Objective-C, VB.Net
-
Covered Languages:C#, Java, PHP, Python
-
Remediation Function:Constant/Issue
-
Constant Cost:5min
-
Analysis Level:Semantic Analysis
-
Analysis Scope:Main Sources
-
Common Rule:Yes
-
CWE:CWE-614, CWE-311, CWE-315
-
OWASP:A3
-
SANS Top 25:Porous Defenses
-
FindSecBugs:INSECURE_COOKIE
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
Ask Yourself Whether
- the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
- it's not sure that the website contains mixed content or not (ie HTTPS everywhere or not)
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour when creating cookies.
- Set the secure flag to true for session-cookies.
See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- MITRE, CWE-311 - Missing Encryption of Sensitive Data
- MITRE, CWE-315 - Cleartext Storage of Sensitive Information in a Cookie
- MITRE, CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
- SANS Top 25 - Porous Defenses
- is implemented by
-
SONARSLANG-467 [kotlin] Rule 2092: Creating cookies without the "secure" flag is security-sensitive
-
- Open
-
-
SONARJAVA-780 Rule: Cookies should be secure
-
- Closed
-
-
SONARPHP-635 Rule S2092: Cookies should be "secure"
-
- Closed
-
-
SONARPY-489 Rule S2092: Creating cookies without the "secure" flag is security-sensitive
-
- Closed
-
-
SONARJAVA-2768 FN S2092: new Cookie("name", "value")
-
- Closed
-
-
SONARJAVA-3100 FN on Rule S2092: Update the implementation to raise on cookie instantiation and setSecure
-
- Closed
-
-
SONARPHP-934 [S2092] & [S3330] Bad flags on cookies not detected correctly
-
- Closed
-
-
MMF-1269 Pack of C# Rules targeting Security Hotspots
-
- Closed
-
- is related to
-
SONARPY-577 Fix FN on S2092: setting a cookie without secure flag
-
- Open
-
-
SONARJAVA-3096 S2068, S2092, S2115 and S3330 are not able to resolve variable latest assigned values anymore
-
- Closed
-
-
SONARJAVA-3500 Support latest version of Play framework in S3330 and S2092
-
- Closed
-
-
SONARJAVA-3107 Rule S2092: False Positive on SavedCookie
-
- Closed
-
- relates to
-
SONARJAVA-2767 Rule S2092: support more Cookie types
-
- Closed
-
- links to
1.
|
PHP | RSPEC-3761 |
|
Active | Unassigned | |
2.
|
C# | RSPEC-4556 |
|
Active | Unassigned | |
3.
|
Java | RSPEC-4557 |
|
Active | Unassigned | |
4.
|
Python | RSPEC-5551 |
|
Active | Unassigned | |
5.
|
Kotlin | RSPEC-5576 |
|
Active | Unassigned | |
6.
|
JavaScript | RSPEC-5678 |
|
Active | Unassigned |