logo

Database

Need

Secure generation of cookies with the HttpOnly attribute

Context

• Usage of TypeScript for type-checking and compiling JavaScript code

• Usage of Express for building web applications and APIs

Description

1. Non compliant code

import express from 'express';

const app = express();

app.get('/', (req, res) => {
  const sensitiveData = 'sensitive information';
  res.cookie('session', sensitiveData);
});...

The vulnerability in this code is that the cookies are generated without properly setting the HttpOnly attribute. In the code, the `res.cookie()` function is used to set a cookie named 'session' with the value of the `sensitiveData` variable. However, the HttpOnly attribute is not set explicitly. The HttpOnly attribute is an important security feature that prevents client-side scripts, such as JavaScript, from accessing the cookie. This attribute helps to mitigate cross-site scripting (XSS) attacks, where an attacker injects malicious scripts into a website and steals sensitive information, such as session cookies. Without the HttpOnly attribute, an attacker could potentially perform an XSS attack by injecting malicious scripts into the application and accessing the 'session' cookie. This would allow them to obtain the sensitive information stored in the cookie. To fix this vulnerability, the application should set the HttpOnly attribute when generating the cookie. This can be done by passing an options object as the third argument to the `res.cookie()` function and setting the `httpOnly` property to `true`.

2. Steps

• Import the 'cookie-parser' middleware.

• Use the 'cookie-parser' middleware in the application.

• Set the 'httpOnly' option to 'true' when setting the cookie.

3. Secure code example

import express from 'express';
import cookieParser from 'cookie-parser';

const app = express();

app.use(cookieParser());

  const sensitiveData = 'sensitive information';...

The fixed code addresses the vulnerability by securely generating cookies with the HttpOnly attribute set. First, the code imports the necessary modules, including `express` and `cookie-parser`, which is used to parse cookies in the incoming requests. The code then creates an instance of the Express application and sets up the cookie-parser middleware using `app.use(cookieParser())`. This middleware will parse the cookies in the incoming requests and make them available in the `req.cookies` object. Next, the code defines a route handler for the root path (`/`). Inside this handler, a variable `sensitiveData` is assigned with the sensitive information that needs to be stored in the cookie. To securely generate the cookie, the code uses the `res.cookie` method provided by Express. It sets the cookie with the name `'session'`, the value of `sensitiveData`, and an options object as the third argument. In this options object, the `httpOnly` property is set to `true`, ensuring that the cookie cannot be accessed or modified by client-side JavaScript. Finally, the code sends a response with the message `'Hello World!'` using `res.send`. The server is then set to listen on port 3000 using `app.listen`. By setting the `httpOnly` attribute to `true` in the cookie options, the fixed code ensures that sensitive information stored in the cookie cannot be accessed through cross-site scripting (XSS) attacks.