OWASP Scan Issue: Cookie Slack Detector #3441
Unanswered
jacklimwenjie
asked this question in
Help
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
OWASP scan reported the cookie slack detector issue on a few next-auth REST API endpoints which includes:
POST /api/auth/_logPOST /api/auth/callback/credentialsPOST /api/auth/signoutTrying to understand the cookie slack detector issue on these endpoints. Deducing from the OWASP's description, does it means that repeated call on these endpoints by dropping one cookie at a time results in the same response?
If that's the case, I think most likely it's a false positive for
POST /api/auth/_logandPOST /api/auth/callback/credentialsbecause their responses are not supposed to change with cookies, but how aboutPOST /api/auth/signout? I am under the impression that the session cookie is needed to sign out, so why is this issue still being reported on this endpoint?Beta Was this translation helpful? Give feedback.
All reactions