Skip to content

Commit ab23fff

Browse files
erik-krogherik-krogh
committed
documentation overhaul for clear-text-cookie
1 parent f36accf commit ab23fff

File tree

11 files changed

+98
-59
lines changed

11 files changed

+98
-59
lines changed

javascript/ql/src/Security/CWE-614/ClearTextCookie.qhelp

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>
7+
Cookies that are transmitted in clear text can be intercepted by an attacker.
8+
If sensitive cookies are intercepted, the attacker can read the cookie and
9+
use it to perform actions on the user's behalf.
10+
</p>
11+
</overview>
12+
13+
<recommendation>
14+
<p>
15+
Always transmit sensitive cookies using SSL by setting the <code>secure</code>
16+
attribute on the cookie.
17+
</p>
18+
</recommendation>
19+
20+
<example>
21+
<p>
22+
The following example stores an authentication token in a cookie that can
23+
be transmitted in clear text.
24+
</p>
25+
<sample src="examples/CleartextStorageBad.js"/>
26+
<p>
27+
To force the cookie to be transmitted using SSL, set the <code>secure</code>
28+
attribute on the cookie.
29+
</p>
30+
<sample src="examples/CleartextStorageGood.js"/>
31+
</example>
32+
33+
<references>
34+
<li>ExpressJS: <a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
35+
<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
36+
<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
37+
</references>
38+
</qhelp>

javascript/ql/src/Security/CWE-614/ClearTextCookie.ql

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
/**
2+
* @name Clear text transmission of sensitive cookie
3+
* @description Sending sensitive information in a cookie without requring SSL encryption
4+
* can expose the cookie to an attacker.
5+
* @kind problem
6+
* @problem.severity warning
7+
* @security-severity 5.0
8+
* @precision high
9+
* @id js/clear-text-cookie
10+
* @tags security
11+
* external/cwe/cwe-614
12+
* external/cwe/cwe-311
13+
* external/cwe/cwe-312
14+
*/
15+
16+
import javascript
17+
18+
from CookieWrites::CookieWrite cookie
19+
where cookie.isSensitive() and not cookie.isSecure()
20+
select cookie, "Sensitive cookie sent without enforcing SSL encryption"

javascript/ql/src/Security/CWE-614/InsecureCookie.qhelp

Lines changed: 0 additions & 26 deletions
This file was deleted.

javascript/ql/src/Security/CWE-614/InsecureCookie.ql

Lines changed: 0 additions & 21 deletions
This file was deleted.

javascript/ql/src/Security/CWE-614/examples/ClearTextCookieBad.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
const http = require('http');
2+
3+
const server = http.createServer((req, res) => {
4+
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`);
5+
res.writeHead(200, { 'Content-Type': 'text/html' });
6+
res.end('<h2>Hello world</h2>');
7+
});

javascript/ql/src/Security/CWE-614/examples/ClearTextCookieGood.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
const http = require('http');
2+
3+
const server = http.createServer((req, res) => {
4+
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`);
5+
res.writeHead(200, { 'Content-Type': 'text/html' });
6+
res.end('<h2>Hello world</h2>');
7+
});

javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
| tst-cleartextCookie.js:5:5:10:10 | res.coo ... }) | Sensitive cookie sent without enforcing SSL encryption |
2+
| tst-cleartextCookie.js:20:5:20:43 | res.coo ... ptions) | Sensitive cookie sent without enforcing SSL encryption |
3+
| tst-cleartextCookie.js:35:1:35:52 | js_cook ... alse }) | Sensitive cookie sent without enforcing SSL encryption |
4+
| tst-cleartextCookie.js:44:37:44:51 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
5+
| tst-cleartextCookie.js:64:38:64:52 | "authKey=ninja" | Sensitive cookie sent without enforcing SSL encryption |
6+
| tst-cleartextCookie.js:94:60:94:72 | "authKey=foo" | Sensitive cookie sent without enforcing SSL encryption |
7+
| tst-cleartextCookie.js:104:9:107:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
8+
| tst-cleartextCookie.js:109:9:112:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
9+
| tst-cleartextCookie.js:114:9:117:2 | session ... T OK\\n}) | Sensitive cookie sent without enforcing SSL encryption |
10+
| tst-cleartextCookie.js:124:9:124:21 | session(sess) | Sensitive cookie sent without enforcing SSL encryption |
11+
| tst-cleartextCookie.js:148:9:156:2 | session ... Date\\n}) | Sensitive cookie sent without enforcing SSL encryption |
12+
| tst-cleartextCookie.js:160:33:160:58 | `authKe ... key()}` | Sensitive cookie sent without enforcing SSL encryption |

javascript/ql/test/query-tests/Security/CWE-614/ClearTextCookie.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Security/CWE-614/ClearTextCookie.ql

javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.expected

Lines changed: 0 additions & 11 deletions
This file was deleted.

javascript/ql/test/query-tests/Security/CWE-614/InsecureCookies.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)