ajinabraham.njsscan.headers.header_cookie.cookie_session_no_samesite

profile photo of ajinabrahamajinabraham
Author
unknown
Download Count*
License

Default session middleware settings: sameSite attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.

Run Locally

Run in CI

Defintion

rules:
  - id: cookie_session_no_samesite
    patterns:
      - pattern-either:
          - pattern-inside: |
              $SESSION = require('cookie-session')
              ...
          - pattern-inside: |
              $SESSION = require('express-session')
              ...
      - pattern: $SESSION(...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:true}} ...>,...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'lax'}} ...>,...)
      - pattern-not-inside: $SESSION(<... {cookie:{sameSite:'strict'}} ...>,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{sameSite:true}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {sameSite:true} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {sameSite:true} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.sameSite = true;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.sameSite = true;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = <... {cookie:{sameSite:'strict'}} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE = <... {sameSite:'strict'} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie = <... {sameSite:'strict'} ...>;
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $COOKIE.sameSite = 'strict';
          ...
          $SESSION($OPTS,...)
      - pattern-not-inside: |
          $OPTS = ...;
          ...
          $OPTS.cookie.sameSite = 'strict';
          ...
          $SESSION($OPTS,...)
    message: "Default session middleware settings: `sameSite` attribute is not
      configured to strict or lax. These configurations provides protection
      against Cross Site Request Forgery attacks."
    severity: WARNING
    languages:
      - javascript
    metadata:
      cwe: cwe-1275
      owasp-web: a2
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other