csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.

Run Locally

Run in CI

Defintion

rules:
  - id: web-config-insecure-cookie-settings
    message: Cookie Secure flag is explicitly disabled. You should enforce this
      value to avoid accidentally presenting sensitive cookie values over
      plaintext HTTP connections.
    severity: WARNING
    metadata:
      likelihood: LOW
      impact: LOW
      confidence: LOW
      category: security
      cwe:
        - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute"
      license: MIT
      owasp:
        - A05:2021 - Security Misconfiguration
      references:
        - https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies
        - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL
        - https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL
      subcategory:
        - audit
      technology:
        - .net
        - asp
        - webforms
    languages:
      - generic
    paths:
      include:
        - "*web.config"
    patterns:
      - pattern-either:
          - pattern: |
              requireSSL="false"
          - pattern: |
              cookieRequireSSL="false"
      - pattern-either:
          - pattern-inside: |
              <httpCookies ...>
          - pattern-inside: |
              <forms ...>
          - pattern-inside: |
              <roleManager ...>