Cookies with security attributes
Summary
The session cookies of web applications must have security attributes (HttpOnly, Secure, SameSite) and prefixes (e.g., __Host-).
Description
When you have web applications that handle sessions, you can use different attributes to improve the security related to the cookies that handle these sessions. The attributes HttpOnly and Secure prevent the theft of the session cookie by denying the browser visibility and access to it (even when Cross Site Scripting [XSS] attacks are used) and allow the cookie to be sent only when the request is encrypted (using HTTPS). In this manner, session theft is greatly mitigated.
References
- CAPEC-31. Accessing/Intercepting/Modifying HTTP cookies
- CWE-352. Cross-site request forgery (CSRF)
- CWE-614. Sensitive cookie in HTTPS session without 'secure' attribute
- CWE-1004. Sensitive cookie without 'HttpOnly' flag
- CWE-79. Improper neutralization of input during web page generation ("cross-site scripting")
- CWE-539. Use of persistent cookies containing sensitive information
- CWE-1275. Sensitive cookie with improper sameSite attribute
- NIST80063-7_1_1. Browser cookies
- OWASP10-A2. Cryptographic failures
- OWASP10-A3. Injection
- OWASP10-A7. Identification and authentication failures
- MITRE-M1021. Restrict web-based content
- PADSS-5_2_7. Cross-site scripting (XSS)
- PADSS-5_2_9. Cross-site request forgery (CSRF)
- PADSS-5_2_10. Broken authentication and session management
- SANS25-2. Improper neutralization of input during web page generation (cross-site scripting)
- SANS25-3. Improper neutralization of special elements used in an SQL command (SQL injection)
- SANS25-9. Cross-site request forgery (CSRF)
- ISO27002-8_26. Application security requirements
- IEC62443-SI-3_8. Session integrity
- WASSEC-1_1. Transport support
- WASSEC-3_2_1. HTTP cookies
- WASSEC-6_2_2_5. Authorization - Session weaknesses
- WASSEC-6_2_3_2. Client-side attacks - Cross-site scripting
- WASSEC-6_2_3_5. Client-side attacks - Cross-site request forgery
- WASC-A_08. Cross-site scripting
- WASC-A_09. Cross-site request forgery
- ISSAF-T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)
- ISSAF-T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)
- ISSAF-T_14_3. Web application assessment - Cookie manipulation
- ISSAF-T_16_1. Web application assessment - Input validation (validate data)
- ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
- ISSAF-V_10. Application security - Source code auditing (Cross Site Scripting XSS)
- PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
- MVSP-2_2. Application design controls - HTTPS only
- MVSP-3_3. Application implementation controls - Vulnerability prevention
- OWASPSCP-4. Session management
- BSAFSS-SC_3-3. Secure Coding (secure software against unsafe functions)
- CWE25-79. Improper neutralization of input during web page generation (cross-site scripting)
- CWE25-89. Improper neutralization of special elements used in an SQL command (SQL injection)
- CWE25-352. Cross-site request forgery (CSRF)
- ASVS-3_2_3. Session binding
- ASVS-3_4_2. Cookie-based session management
- ASVS-3_4_3. Cookie-based session management
- PCI-6_2_4. Software engineering techniques to prevent or mitigate common software attacks
- PCI-6_4_1. Public-facing web applications are protected against attacks
- SIGLITE-SL_81. Is HTTPS enabled for all web pages used as part of the scoped service?
- SIG-I_2_7_1. Application security
- SIG-I_3_2_4. Application security
- ASVS-3_4_1. Cookie-based session management
- ASVS-3_4_4. Cookie-based session management
- ASVS-3_4_5. Cookie-based session management
- ASVS-13_2_3. RESTful web service
- ISO27001-8_26. Application security requirements
- CASA-3_2_3. Session Binding
- CASA-3_4_1. Cookie-based Session Management
- CASA-3_4_2. Cookie-based Session Management
- CASA-3_4_3. Cookie-based Session Management
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan