java.servlets.security.cookie-issecure-false.cookie-issecure-false
semgrep
Author
61
Download Count*
License
Default session middleware settings: setSecure
not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.
Run Locally
Run in CI
Defintion
rules:
- id: cookie-issecure-false
patterns:
- pattern: $COOKIE = new Cookie($...ARGS);
- pattern-not-inside: |
$COOKIE = new Cookie(...);
...
$COOKIE.setSecure(...);
message: "Default session middleware settings: `setSecure` not set to true. This
ensures that the cookie is sent only over HTTPS to prevent cross-site
scripting attacks."
fix: |
$COOKIE = new Cookie($...ARGS);
$COOKIE.setSecure(true);
metadata:
vulnerability: Insecure Transport
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
references:
- https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)
- https://owasp.org/www-community/controls/SecureCookieAttribute
category: security
technology:
- java
- cookie
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- java
severity: WARNING
Examples
cookie-issecure-false.java
public class Bad {
public void bad1() {
// ruleid: cookie-issecure-false
Cookie cookie = new Cookie("name", "value");
}
}
public class Ok {
public void ok1() {
// ok: cookie-issecure-false
Cookie cookie = new Cookie("name", "value");
cookie.setSecure(true);
}
}
Short Link: https://sg.run/pxn0