Add documentation

2025-12-18 01:33:15 +01:00 · 2024-07-11 14:31:16 +01:00
parent 32fbe52f0f
commit df5569fda9
3 changed files with 52 additions and 1 deletions
--- a/python/ql/src/Security/CWE-614/InsecureCookie.qhelp
+++ b/python/ql/src/Security/CWE-614/InsecureCookie.qhelp
@@ -0,0 +1,29 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Cookies without the <code>Secure</code> flag set may be transmittd using HTTP instead of HTTPS, which leaves it vulnerable to being read by a third party.</p>
+<p>Cookies without the <code>HttpOnly</code> flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.</p>
+<p>Cookies with the <code>SameSite</code> attribute set to <code>'None'</code> will be sent with cross-origin requests, which can be controlled by third-party JavaScript code and allow for Cross-Site Request Forgery (CSRF) attacks.</p>
+</overview>
+
+<recommendation>
+<p>Always set <code>secure</code> to <code>True</code> or add "; Secure;" to the cookie's raw value.</p>
+<p>Always set <code>httponly</code> to <code>True</code> or add "; HttpOnly;" to the cookie's raw value.</p>
+<p>Always set <code>samesite</code> to <code>Lax</code> or <code>Strict</code>, or add "; SameSite=Lax;", or
+"; Samesite=Strict;" to the cookie's raw header value.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the cases marked BAD they are not set.</p>
+<sample src="examples/InsecureCookie.py" />
+</example>
+
+<references>
+<li>Detectify: <a href="https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag">Cookie lack Secure flag</a>.</li>
+<li>PortSwigger: <a href="https://portswigger.net/kb/issues/00500200_tls-cookie-without-secure-flag-set">TLS cookie without secure flag set</a>.</li>
+</references>
+
+</qhelp>
--- a/python/ql/src/Security/CWE-614/InsecureCookie.ql
+++ b/python/ql/src/Security/CWE-614/InsecureCookie.ql
@@ -3,12 +3,14 @@
 * @description Insecure cookies may be sent in cleartext, which makes them vulnerable to
 *              interception.
 * @kind problem
- * @problem.severity error
+ * @problem.severity warning
 * @security-severity 5.0
 * @precision high
 * @id py/insecure-cookie
 * @tags security
 *       external/cwe/cwe-614
+ *       external/cwe/cwe-1004
+ *       external/cwe/cwe-1275
 */

 import python
--- a/python/ql/src/Security/CWE-614/examples/InsecureCookie.py
+++ b/python/ql/src/Security/CWE-614/examples/InsecureCookie.py
@@ -0,0 +1,20 @@
+from flask import Flask, request, make_response, Response
+
+
+@app.route("/good1")
+def good1():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
+    return resp
+
+
+@app.route("/good2")
+def good2():
+    resp = make_response()
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
+    return resp
+
+@app.route("/bad1")
+    resp = make_response()
+    resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None'; and the 'Secure' and 'HttpOnly' attributes are set to False by default.
+    return resp