ajinabraham.njsscan.headers.header_cookie.cookie_session_no_domain
ajinabraham
Author
unknown
Download Count*
License
Default session middleware settings: domain
not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
Run Locally
Run in CI
Defintion
rules:
- id: cookie_session_no_domain
patterns:
- pattern-either:
- pattern-inside: |
$SESSION = require('cookie-session')
...
- pattern-inside: |
$SESSION = require('express-session')
...
- pattern: $SESSION(...)
- pattern-not-inside: $SESSION(<... {cookie:{domain:...}} ...>,...)
- pattern-not-inside: |
$OPTS = <... {cookie:{domain:...}} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE = <... {domain:...} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie = <... {domain:...} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE.domain = ...;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie.domain = ...;
...
$SESSION($OPTS,...)
message: "Default session middleware settings: `domain` not set. It indicates
the domain of the cookie; use it to compare against the domain of the
server in which the URL is being requested. If they match, then check the
path attribute next."
severity: INFO
languages:
- javascript
metadata:
cwe: cwe-522
owasp-web: a2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/rqbR