csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings
semgrepAuthor
unknown
Download Count*
License
Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.
Run Locally
Run in CI
Defintion
rules:
- id: web-config-insecure-cookie-settings
message: Cookie Secure flag is explicitly disabled. You should enforce this
value to avoid accidentally presenting sensitive cookie values over
plaintext HTTP connections.
severity: WARNING
metadata:
likelihood: LOW
impact: LOW
confidence: LOW
category: security
cwe:
- "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
owasp:
- A05:2021 - Security Misconfiguration
references:
- https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies
- https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL
- https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL
subcategory:
- audit
technology:
- .net
- asp
- webforms
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cookie Security
languages:
- generic
paths:
include:
- "*web.config"
patterns:
- pattern-either:
- pattern: |
requireSSL="false"
- pattern: |
cookieRequireSSL="false"
- pattern-either:
- pattern-inside: |
<httpCookies ...>
- pattern-inside: |
<forms ...>
- pattern-inside: |
<roleManager ...>
Short Link: https://sg.run/z1jd