ajinabraham.njsscan.header_cookie.cookie_session_default

profile photo of ajinabrahamajinabraham
Author
1,129
Download Count*
GPLv3
License

Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: cookie_session_default
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {name:...} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {name:...} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.name = ...;
          ...
          $SESSION($OPTS,...)
    message: Consider changing the default session cookie name. An attacker can use
      it to fingerprint the server and target attacks accordingly.
    severity: INFO
    languages:
      - javascript
    metadata:
      cwe: cwe-522
      owasp-web: a2
      license: LGPL-3.0-or-later