ajinabraham.njsscan.headers.header_cookie.cookie_session_no_path
ajinabrahamAuthor
unknown
Download Count*
License
Default session middleware settings: path not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
Run Locally
Run in CI
Defintion
rules:
- id: cookie_session_no_path
patterns:
- pattern-either:
- pattern-inside: |
$SESSION = require('cookie-session')
...
- pattern-inside: |
$SESSION = require('express-session')
...
- pattern: $SESSION(...)
- pattern-not-inside: $SESSION(<... {cookie:{path:...}} ...>,...)
- pattern-not-inside: |
$OPTS = <... {cookie:{path:...}} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE = <... {path:...} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie = <... {path:...} ...>;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$COOKIE.path = ...;
...
$SESSION($OPTS,...)
- pattern-not-inside: |
$OPTS = ...;
...
$OPTS.cookie.path = ...;
...
$SESSION($OPTS,...)
message: "Default session middleware settings: `path` not set. It indicates the
path of the cookie; use it to compare against the request path. If this
and domain match, then send the cookie in the request."
severity: INFO
languages:
- javascript
metadata:
cwe: cwe-522
owasp-web: a2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/bE0E