HttpOnly and Secure cookie queries

Author: edvraa

csharp/ql/src/Security Features/CWE-614/RequireSSL.ql

@@ -17,29 +17,6 @@ import csharp
 import semmle.code.asp.WebConfig
 import semmle.code.csharp.frameworks.system.Web
 
-class FormsElement extends XMLElement {
-  FormsElement() {
-    this = any(SystemWebXMLElement sw).getAChild("authentication").getAChild("forms")
-  }
-
-  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
-
-  predicate isRequireSSL() { getRequireSSL() = "true" }
-}
-
-class HttpCookiesElement extends XMLElement {
-  HttpCookiesElement() { this = any(SystemWebXMLElement sw).getAChild("httpCookies") }
-
-  string getRequireSSL() { result = getAttribute("requireSSL").getValue().trim().toLowerCase() }
-
-  predicate isRequireSSL() {
-    getRequireSSL() = "true"
-    or
-    not getRequireSSL() = "false" and
-    exists(FormsElement forms | forms.getFile() = getFile() | forms.isRequireSSL())
-  }
-}
-
 from XMLElement element
 where
   element instanceof FormsElement and

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore.qhelp

@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script. By explicitly setting <code>HttpOnly</code>
+property to <code>false</code> the cookie may be accessed by JavaScript.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+them not accessibe to JavaScript.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below to <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflagcore.cs" />
+
+<p>
+In the following example <code>CookiePolicyOptions</code> are set programmatically to configure defaults.
+</p>
+
+<sample src="cookiepolicyoptions.cs" />
+
+</example>
+
+<references>
+
+<li>MSDN: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property</a></li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header</li>
+
+</references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseAspNetCore.ql

@@ -0,0 +1,59 @@
+/**
+ * @name 'HttpOnly' attribute is set to false
+ * @description Setting 'HttpOnly' attribute to false for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cs/web/cookie-httponly-false-aspnetcore
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.dataflow.flowsources.AuthCookie
+
+from Expr val, Assignment a
+where
+  exists(ObjectCreation oc, MethodCall mc, MicrosoftAspNetCoreHttpResponseCookies iResponse |
+    iResponse.getAppendMethod() = mc.getTarget() and
+    oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+    getAValueForProp(oc, a, "HttpOnly") = val and
+    val.getValue() = "false" and
+    // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+    not exists(
+      OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+    |
+      config.hasFlow(source, sink)
+    ) and
+    // It is a sensitive cookie name
+    exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+      dataflow.hasFlow(source, sink) and
+      sink.asExpr() = mc.getArgument(0)
+    ) and
+    // Passed as third argument to `IResponseCookies.Append`
+    exists(
+      CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+      DataFlow::Node append
+    |
+      cookieTracking.hasFlow(creation, append) and
+      creation.asExpr() = oc and
+      append.asExpr() = mc.getArgument(2)
+    )
+  )
+  or
+  exists(PropertyWrite pw |
+    (
+      pw.getProperty().getDeclaringType() instanceof MicrosoftAspNetCoreHttpCookieBuilder or
+      pw.getProperty().getDeclaringType() instanceof
+        MicrosoftAspNetCoreAuthenticationCookiesCookieAuthenticationOptions
+    ) and
+    pw.getProperty().getName() = "HttpOnly" and
+    a.getLValue() = pw and
+    DataFlow::localExprFlow(val, a.getRValue()) and
+    val.getValue() = "false"
+  )
+select a.getRValue(), "Cookie attribute 'HttpOnly' is set to false."

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script. By default,
+cookies are accessibe to JavaScript. By explicitly setting <code>HttpOnly</code>
+property to <code>false</code> the cookie may be accessed by JavaScript.
+</p>
+</overview>
+
+<recommendation>
+
+<p>
+When using cookies, ensure that they are not accessible to JavaScript via <code>&lt;httpCookies&gt;</code> element
+with the attribute <code>httpOnlyCookies="true"</code>.
+It is also possible to require cookies to use SSL programmatically, by setting the property
+<code>System.Web.HttpCookie.HttpOnly</code> to <code>true</code>.
+</p>
+
+</recommendation>
+
+<example>
+
+<p>
+In the example below to <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflag.cs" />
+
+</example>
+
+<references>
+
+<li>MSDN:
+    <a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property</a>,
+    <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.
+</li>
+
+</references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-1004/CookieHttpOnlyFalseSystemWeb.ql

@@ -0,0 +1,29 @@
+/**
+ * @name 'HttpOnly' attribute is set to false
+ * @description Setting 'HttpOnly' attribute to false for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cs/web/cookie-httponly-false-aspnet
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.dataflow.flowsources.AuthCookie
+
+from ObjectCreation oc, Expr val, Assignment a
+where
+  getAValueForProp(oc, a, "HttpOnly") = val and
+  val.getValue() = "false" and
+  oc.getType() instanceof SystemWebHttpCookie and
+  // It is a sensitive cookie name
+  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+    dataflow.hasFlow(source, sink) and
+    sink.asExpr() = oc.getArgument(0)
+  )
+select a.getRValue(), "Cookie attribute 'HttpOnly' is set to false."

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore.qhelp

@@ -0,0 +1,36 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+them not accessibe to JavaScript.
+</p>
+</recommendation>
+
+<example>
+
+<p>
+In the example below to <code>Microsoft.AspNetCore.Http.CookieOptions.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflagcore.cs" />
+
+</example>
+
+<references>
+
+<li>MSDN: <a href="https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions.httponly">CookieOptions.HttpOnly Property</a></li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header</li>
+
+</references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlyAspNetCore.ql

@@ -0,0 +1,60 @@
+/**
+ * @name 'HttpOnly' attribute is not set to true
+ * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/web/httponly-possibly-not-set-aspnetcore
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+import semmle.code.csharp.dataflow.flowsources.AuthCookie
+
+from Call c, MicrosoftAspNetCoreHttpResponseCookies iResponse, MethodCall mc
+where
+  // default is not configured or is not set to `Always`
+  not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
+  // there is no callback `OnAppendCookie` that sets `HttpOnly` to true
+  not exists(
+    OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
+  |
+    config.hasFlow(source, sink)
+  ) and
+  // It is a sensitive cookie name
+  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+    iResponse.getAppendMethod() = mc.getTarget() and
+    dataflow.hasFlow(source, sink) and
+    sink.asExpr() = mc.getArgument(0)
+  ) and
+  (
+    // `HttpOnly` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
+    exists(ObjectCreation oc |
+      oc = c and
+      oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
+      not isPropertySet(oc, "HttpOnly") and
+      exists(
+        CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
+        DataFlow::Node append
+      |
+        cookieTracking.hasFlow(creation, append) and
+        creation.asExpr() = oc
+      )
+    )
+    or
+    // IResponseCookies.Append(String, String) was called, `HttpOnly` is set to `false` by default
+    exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+      mc = c and
+      iResponse.getAppendMethod() = mc.getTarget() and
+      mc.getNumberOfArguments() < 3 and
+      // It is a sensitive cookie name
+      dataflow.hasFlow(source, sink) and
+      sink.asExpr() = mc.getArgument(0)
+    )
+  )
+select c, "Cookie attribute 'HttpOnly' is not set to true."

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script. By default,
+cookies are accessibe to JavaScript. This setting can be changed by setting the <code>httpOnlyCookies</code>
+attribute to <code>"true"</code> in <code>Web.config</code>.
+</p>
+</overview>
+
+<recommendation>
+
+<p>
+When using cookies, ensure that they are not accessible to JavaScript via <code>&lt;httpCookies&gt;</code> element
+with the attribute <code>httpOnlyCookies="true"</code>.
+It is also possible to require cookies to use SSL programmatically, by setting the property
+<code>System.Web.HttpCookie.HttpOnly</code> to <code>true</code>.
+</p>
+
+</recommendation>
+
+<example>
+
+<p>
+In the example below to <code>System.Web.HttpCookie.HttpOnly</code> is set to <code>true</code>.
+</p>
+
+<sample src="httponlyflag.cs" />
+
+</example>
+
+<references>
+
+<li>MSDN:
+    <a href="https://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly(v=vs.110).aspx">HttpCookie.HttpOnly Property</a>,
+    <a href="https://msdn.microsoft.com/library/ms228262%28v=vs.100%29.aspx">httpCookies Element</a>.
+</li>
+
+</references>
+</qhelp>

csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnlySystemWeb.ql

@@ -0,0 +1,35 @@
+/**
+ * @name 'HttpOnly' attribute is not set to true
+ * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
+ *              'HttpOnly' to 'true' to authentication related cookie to make it
+ *              not accessible by JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id cs/web/httponly-not-set-aspnet
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import csharp
+import semmle.code.asp.WebConfig
+import semmle.code.csharp.frameworks.system.Web
+import semmle.code.csharp.dataflow.flowsources.AuthCookie
+
+from ObjectCreation oc
+where
+  oc.getType() instanceof SystemWebHttpCookie and
+  // the property wasn't explicitly set, so a default value from config is used
+  not isPropertySet(oc, "HttpOnly") and
+  // the default in config is not set to `true`
+  not exists(XMLElement element |
+    element instanceof HttpCookiesElement and
+    element.(HttpCookiesElement).isHttpOnlyCookies()
+  ) and
+  // it is a cookie with a sensitive name
+  exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
+    dataflow.hasFlow(source, sink) and
+    sink.asExpr() = oc.getArgument(0)
+  )
+select oc, "Cookie attribute 'HttpOnly' is not set to true."