Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5736

Disabling strict HTTP no-referrer policy is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure disabling strict HTTP no-referrer policy is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Covered Languages:
      JavaScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-200
    • OWASP:
      A3

      Description

      HTTP header referer contains a URL set by web browsers and used by applications to track from where the user came from, it's for instance a relevant value for web analytic services, but it can cause serious privacy and security problems if the URL contains confidential information. Note that Firefox for instance, to prevent data leaks, removes path information in the Referer header while browsing privately.

      Suppose an e-commerce website asks the user his credit card number to purchase a product:

      <html>
      <body>
      <form action="/valid_order" method="GET">
      Type your credit card number to purchase products:
      <input type=text id="cc" value="1111-2222-3333-4444">
      <input type=submit>
      </form>
      </body>
      

      When submitting the above HTML form, a HTTP GET request will be performed, the URL requested will be https://example.com/valid_order?cc=1111-2222-3333-4444 with credit card number inside and it's obviously not secure for these reasons:

      • URLs are stored in the history of browsers.
      • URLs could be accidentally shared when doing copy/paste actions.
      • URLs can be stolen if a malicious person looks at the computer screen of an user.

      In addition to these threats, when further requests will be performed from the "valid_order" page with a simple legitimate embedded script like that:

      <script src="https://webanalyticservices_example.com/track">
      

      The referer header which contains confidential information will be send to a third party web analytic service and cause privacy issue:

      GET /track HTTP/2.0
      Host: webanalyticservices_example.com
      Referer: https://example.com/valid_order?cc=1111-2222-3333-4444
      

      Ask Yourself Whether

      • Confidential information exists in URLs.
      • Semantic of HTTP methods is not respected (eg: use of a GET method instead of POST when the state of the application is changed).

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Confidential information should not be set inside URLs (GET requests) of the application and a safe (ie: different from unsafe-url or no-referrer-when-downgrade) referrer-Policy header, to control how much information is included in the referer header, should be used.

      See

        Attachments

        1.
        JavaScript RSPEC-5737 Language-Specification Active Unassigned

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            eric.therond Eric Therond
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: