From 04316d306fc4bc47a0ac32faddafb11077d57074 Mon Sep 17 00:00:00 2001 From: Joe Farebrother Date: Fri, 19 Sep 2025 12:42:30 +0100 Subject: [PATCH] Update qhelp --- .../Security/CWE-1004/NotHttpOnlyCookie.qhelp | 26 +++++++++++++++++++ .../CWE-1004/examples/InsecureCookie.py | 21 +++++++++++++++ .../CWE-1275/SameSiteNoneCookie.qhelp | 26 +++++++++++++++++++ .../CWE-1275/examples/InsecureCookie.py | 21 +++++++++++++++ .../src/Security/CWE-614/InsecureCookie.qhelp | 15 +++++------ .../CWE-614/examples/InsecureCookie.py | 1 + 6 files changed, 102 insertions(+), 8 deletions(-) create mode 100644 python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp create mode 100644 python/ql/src/Security/CWE-1004/examples/InsecureCookie.py create mode 100644 python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp create mode 100644 python/ql/src/Security/CWE-1275/examples/InsecureCookie.py diff --git a/python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp b/python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp new file mode 100644 index 00000000000..01c472021ad --- /dev/null +++ b/python/ql/src/Security/CWE-1004/NotHttpOnlyCookie.qhelp @@ -0,0 +1,26 @@ + + + + +

Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. +In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script. +If a cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.

+ + + +

Set httponly to True, or add ; HttpOnly; to the cookie's raw header value, to ensure that the cookie is not accessible via JavaScript.

+ + + +

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

+ + + + +
  • PortSwigger: Cookie without HttpOnly flag set
    • +
  • MDN: Set-Cookie.
    • +     + +     diff --git a/python/ql/src/Security/CWE-1004/examples/InsecureCookie.py b/python/ql/src/Security/CWE-1004/examples/InsecureCookie.py new file mode 100644 index 00000000000..8ca12936a12 --- /dev/null +++ b/python/ql/src/Security/CWE-1004/examples/InsecureCookie.py @@ -0,0 +1,21 @@ +from flask import Flask, request, make_response, Response + + +@app.route("/good1") +def good1(): + resp = make_response() + resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set + return resp + + +@app.route("/good2") +def good2(): + resp = make_response() + resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set + return resp + +@app.route("/bad1") +def bad1(): + resp = make_response() + resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default. + return resp \ No newline at end of file diff --git a/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp b/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp new file mode 100644 index 00000000000..e38ef00433a --- /dev/null +++ b/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp @@ -0,0 +1,26 @@ + + + + +

    Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests. +This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user.

    +     + + +

    Set the samesite to Lax or Strict, or add ; SameSite=Lax;, or +; SameSite=Strict; to the cookie's raw header value. The default value in most cases is Lax.

    +     + + +

    In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

    + +     + + +
  • MDN: Set-Cookie.
    • +
  • OWASP: SameSite.
    • +     + +     diff --git a/python/ql/src/Security/CWE-1275/examples/InsecureCookie.py b/python/ql/src/Security/CWE-1275/examples/InsecureCookie.py new file mode 100644 index 00000000000..8ca12936a12 --- /dev/null +++ b/python/ql/src/Security/CWE-1275/examples/InsecureCookie.py @@ -0,0 +1,21 @@ +from flask import Flask, request, make_response, Response + + +@app.route("/good1") +def good1(): + resp = make_response() + resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set + return resp + + +@app.route("/good2") +def good2(): + resp = make_response() + resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set + return resp + +@app.route("/bad1") +def bad1(): + resp = make_response() + resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default. + return resp \ No newline at end of file diff --git a/python/ql/src/Security/CWE-614/InsecureCookie.qhelp b/python/ql/src/Security/CWE-614/InsecureCookie.qhelp index 5b36c9cc59d..914d9d0baa5 100644 --- a/python/ql/src/Security/CWE-614/InsecureCookie.qhelp +++ b/python/ql/src/Security/CWE-614/InsecureCookie.qhelp @@ -4,26 +4,25 @@ -

    Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS, which leaves them vulnerable to reading by a third party.

    -

    Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.

    -

    Cookies with the SameSite attribute set to 'None' will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.

    +

    Cookies without the Secure flag set may be transmitted using HTTP instead of HTTPS. +This leaves them vulnerable to being read by a third party attacker. If a sensitive cookie such as a session +key is intercepted this way, it would allow the attacker to perform actions on a user's behalf.

     -

    Always set secure to True or add "; Secure;" to the cookie's raw value.

    -

    Always set httponly to True or add "; HttpOnly;" to the cookie's raw value.

    -

    Always set samesite to Lax or Strict, or add "; SameSite=Lax;", or -"; Samesite=Strict;" to the cookie's raw header value.

    +

    Always set secure to True, or add ; Secure; to the cookie's raw header value, to ensure SSL is used to transmit the cookie +with encryption.

     -

    In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.

    +

    In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.
  • Detectify: Cookie lack Secure flag.
  • PortSwigger: TLS cookie without secure flag set.
    • +
  • MDN: Set-Cookie.
    •      diff --git a/python/ql/src/Security/CWE-614/examples/InsecureCookie.py b/python/ql/src/Security/CWE-614/examples/InsecureCookie.py index 07cca6c3fce..8ca12936a12 100644 --- a/python/ql/src/Security/CWE-614/examples/InsecureCookie.py +++ b/python/ql/src/Security/CWE-614/examples/InsecureCookie.py @@ -15,6 +15,7 @@ def good2(): return resp @app.route("/bad1") +def bad1(): resp = make_response() resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default. return resp \ No newline at end of file