logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecurely generated cookies - HttpOnly - Scala

Need

Secure generation of cookies with the HttpOnly attribute

Context

  1. Usage of Scala for building scalable and high-performance applications
  2. Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Insecure Code Example

import play.api.mvc._

val cookie = Cookie("session", "your-session-id")
Ok("Hello").withCookies(cookie)

In the above code, we are creating a cookie named "session" with a value of "your-session-id". However, we are not setting the `HttpOnly` attribute for the cookie. The `HttpOnly` attribute is a flag that can be included in a Set-Cookie HTTP response header. If it's set, it instructs the browser that the cookie should be inaccessible to client-side scripts, which can help to mitigate certain types of cross-site scripting (XSS) attacks. Without the `HttpOnly` attribute, the cookie can be accessed through client-side scripts, which can expose the cookie's data to potential attacks. For example, if an attacker can inject malicious scripts into the web page (through XSS or other means), they can read the cookie data and potentially use it for session hijacking or other malicious activities. Therefore, it's a security best practice to set the `HttpOnly` attribute for cookies whenever possible, especially for cookies that contain sensitive data such as session identifiers.

Steps

  1. Set the 'HttpOnly' attribute when generating cookies.
  2. Use the 'withHttpOnly' method to set the 'HttpOnly' attribute for the generated cookie.
  3. Ensure that the 'HttpOnly' attribute is set to 'true' to prevent client-side scripts from accessing the cookie.
  4. Test the application to verify that the 'HttpOnly' attribute is properly set for the generated cookies.

Secure Code Example

import play.api.mvc._

val cookie = Cookie("session", "your-session-id", httpOnly = true)
Ok("Hello").withCookies(cookie)

The original code was generating a cookie without setting the `HttpOnly` attribute. This attribute is crucial for security as it prevents client-side scripts from accessing the cookie. If not set, it could potentially lead to Cross-Site Scripting (XSS) attacks where malicious scripts are injected into trusted websites. The fixed code sets the `HttpOnly` attribute to `true` when generating the cookie. This is done by passing `httpOnly = true` as a parameter when creating the `Cookie` object. After the fix, the cookie is generated with the `HttpOnly` attribute set to `true`, which means it cannot be accessed through client-side scripts, thus mitigating the risk of XSS attacks. It's important to test the application after applying this fix to ensure that the `HttpOnly` attribute is properly set for all generated cookies and that the application functionality remains intact.

References

  • 128 - Insecurely generated cookies - HttpOnly

    • Last updated

    2023/09/18