Description

Detects when session cookies are created without explicitly setting the 'path' attribute. Missing path attributes in session cookies can allow unauthorized access from different paths within the same domain, potentially exposing sensitive session information to malicious scripts.

Detection Strategy

• Check for cookie creation or manipulation operations in JavaScript code

• Examine if the cookie being set contains session-related data or authentication information

• Verify if the cookie configuration is missing an explicit 'path' attribute

• Report a vulnerability when session cookies are configured without a defined path parameter

Vulnerable code example

const express = require('express');
const session = require('express-session');
const app = express();

app.use(session({
  secret: 'mysecret',  // Vulnerable: Hardcoded session secret in code
  cookie: { secure: true }
}));

✅ Secure code example

const express = require('express');
const session = require('express-session');
const crypto = require('crypto');

const app = express();
app.set('trust proxy', 1); // Enable if behind a reverse proxy

// Generate secret from env var or create a strong random one...