-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
39 changed files
with
930 additions
and
1,387 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| patterns: | ||
| - pattern: $<SESSION> | ||
| filters: | ||
| - variable: SESSION | ||
| detection: go_gorilla_cookie_missing_http_only_session | ||
| scope: cursor_strict | ||
| - not: | ||
| variable: SESSION | ||
| detection: go_gorilla_cookie_missing_http_only_http_only_true | ||
| scope: cursor_strict | ||
| auxiliary: | ||
| - id: go_gorilla_cookie_missing_http_only_sessions_init | ||
| patterns: | ||
| - import $<!>"github.com/gorilla/sessions" | ||
| - | | ||
| import ( | ||
| $<!>"github.com/gorilla/sessions" | ||
| ) | ||
| - id: go_gorilla_cookie_missing_http_only_true | ||
| patterns: | ||
| - "true" | ||
| - id: go_gorilla_cookie_missing_http_only_http_only_true | ||
| patterns: | ||
| - pattern: "$<_>{ HttpOnly: $<TRUE> }" | ||
| filters: | ||
| - variable: "TRUE" | ||
| detection: go_gorilla_cookie_missing_http_only_true | ||
| scope: cursor | ||
| - id: go_gorilla_cookie_missing_http_only_session | ||
| patterns: | ||
| - pattern: $<SESSION>.Options{} | ||
| filters: | ||
| - variable: SESSION | ||
| detection: go_gorilla_cookie_missing_http_only_sessions_init | ||
| scope: cursor | ||
| languages: | ||
| - go | ||
| metadata: | ||
| description: "Missing 'HttpOnly' option in cookie configuration." | ||
| remediation_message: | | ||
| ## Description | ||
| When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. | ||
| By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript. | ||
| It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go. | ||
| ## Remediations | ||
| To ensure that cookies, particularly session cookies, are secure: | ||
| ✅ Configure HttpOnly | ||
| Set the `HttpOnly` attribute to `true` within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks. | ||
| ```go | ||
| import ( | ||
| "github.com/gorilla/sessions" | ||
| "net/http" | ||
| ) | ||
| var store = sessions.NewCookieStore([]byte("your-secret-key")) | ||
| func MyHandler(w http.ResponseWriter, r *http.Request) { | ||
| // Get a session. We're ignoring the error resulted from decoding an | ||
| // existing session: Get() always returns a session, even if empty. | ||
| session, _ := store.Get(r, "session-name") | ||
| // Set some session values. | ||
| session.Values["foo"] = "bar" | ||
| // Set the session to be HttpOnly. | ||
| session.Options.HttpOnly = true | ||
| // Save changes. | ||
| session.Save(r, w) | ||
| } | ||
| ``` | ||
| ✅ Leverage Gorilla SecureCookie | ||
| Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data. | ||
| ✅ Implement Strong Session Management | ||
| Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks. | ||
| ## Resources | ||
| - [Gorilla Sessions Documentation](http://www.gorillatoolkit.org/pkg/sessions) | ||
| - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) | ||
| - [OWASP Cookies Properties](https://owasp.org/www-community/controls/SecureCookieAttribute) | ||
| cwe_id: | ||
| - 1004 | ||
| id: go_gorilla_cookie_missing_http_only | ||
| documentation_url: https://docs.bearer.com/reference/rules/go_gorilla_cookie_missing_http_only | ||
| cloud_code_suggestions: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| patterns: | ||
| - pattern: $<COOKIE> | ||
| filters: | ||
| - variable: COOKIE | ||
| detection: go_lang_cookie_missing_http_only_http_cookie | ||
| scope: cursor_strict | ||
| - not: | ||
| variable: COOKIE | ||
| detection: go_lang_cookie_missing_http_only_true | ||
| scope: cursor_strict | ||
| auxiliary: | ||
| - id: go_lang_cookie_missing_http_only_cookie_init | ||
| patterns: | ||
| - import $<!>"net/http" | ||
| - | | ||
| import ( | ||
| $<!>"net/http" | ||
| ) | ||
| - id: go_lang_cookie_missing_http_only_true | ||
| patterns: | ||
| - "true" | ||
| - id: go_lang_cookie_missing_http_only_http_cookie | ||
| patterns: | ||
| - pattern: $<HTTP>.Cookie{} | ||
| filters: | ||
| - variable: HTTP | ||
| detection: go_lang_cookie_missing_http_only_cookie_init | ||
| scope: cursor | ||
| - id: go_lang_cookie_missing_http_only_http_only_true | ||
| patterns: | ||
| - pattern: "$<_>{ HttpOnly: $<TRUE> }" | ||
| filters: | ||
| - variable: "TRUE" | ||
| detection: go_lang_cookie_missing_http_only_true | ||
| scope: cursor | ||
| languages: | ||
| - go | ||
| metadata: | ||
| description: "Missing secure options for cookie detected." | ||
| remediation_message: | | ||
| ## Description | ||
| When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values. | ||
| By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript. | ||
| ## Remediations | ||
| To enhance cookie security and protect against common web exploits: | ||
| ✅ Set the `HttpOnly` attribute for cookies to `true`. This prevents client-side scripts from accessing the cookie, reducing the risk of client-side attacks. | ||
| ```go | ||
| http.SetCookie(w, &http.Cookie{ | ||
| Name: "session_token", | ||
| Value: sessionToken, | ||
| HttpOnly: true, // Secure the cookie from client-side scripts | ||
| // Additional flags like Secure, SameSite, etc., should be set as needed. | ||
| }) | ||
| ``` | ||
| ✅ Alongside `HttpOnly`, consider setting `Secure`, `SameSite`, and `Domain` attributes to further secure cookies based on your application’s requirements. | ||
| ## Resources | ||
| For best practices on setting cookies securely, explore: | ||
| - [OWASP Secure Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) | ||
| - [MDN Web Docs: HttpOnly Cookie Attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies) | ||
| cwe_id: | ||
| - 1004 | ||
| id: go_lang_cookie_missing_http_only | ||
| documentation_url: https://docs.bearer.com/reference/rules/go_lang_cookie_missing_http_only |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| imports: | ||
| - java_shared_lang_instance | ||
| patterns: | ||
| - pattern: $<COOKIE>.setHttpOnly($<FALSE>) | ||
| filters: | ||
| - variable: COOKIE | ||
| detection: java_shared_lang_instance | ||
| scope: cursor | ||
| filters: | ||
| - variable: JAVA_SHARED_LANG_INSTANCE_TYPE | ||
| regex: \A(javax\.servlet\.http\.)?Cookie\z | ||
| - variable: "FALSE" | ||
| detection: java_lang_cookie_with_http_only_false_false | ||
| scope: cursor | ||
| auxiliary: | ||
| - id: java_lang_cookie_with_http_only_false_false | ||
| patterns: | ||
| - "false;" | ||
| languages: | ||
| - java | ||
| metadata: | ||
| description: "Missing secure options for cookie detected." | ||
| remediation_message: | | ||
| ## Description | ||
| To make sure cookies don't open your application up to exploits or unauthorized access, make sure to set security options appropriately. | ||
| ## Remediations | ||
| ✅ Set `HttpOnly` to `true` to protect the cookie value from being accessed by client side JavaScript | ||
| ```java | ||
| cookie.setHttpOnly(true); | ||
| ``` | ||
| cwe_id: | ||
| - 1004 | ||
| id: java_lang_cookie_with_http_only_false | ||
| documentation_url: https://docs.bearer.com/reference/rules/java_lang_cookie_with_http_only_false | ||
| cloud_code_suggestions: true |
Oops, something went wrong.