Cookies with security attributes

Summary

The session cookies of web applications must have security attributes (HttpOnly, Secure, SameSite) and prefixes (e.g., __Host-).

Description

When you have web applications that handle sessions, you can use different attributes to improve the security related to the cookies that handle these sessions. The attributes HttpOnly and Secure prevent the theft of the session cookie by denying the browser visibility and access to it (even when Cross Site Scripting [XSS] attacks are used) and allow the cookie to be sent only when the request is encrypted (using HTTPS). In this manner, session theft is greatly mitigated.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🟢
Squad	🟢

References

• CAPEC™-31. Accessing/Intercepting/Modifying HTTP cookies
• CWE™-352. Cross-site request forgery (CSRF)
• CWE™-614. Sensitive cookie in HTTPS session without 'secure' attribute
• CWE™-1004. Sensitive cookie without 'HttpOnly' flag
• CWE™-79. Improper neutralization of input during web page generation ("cross-site scripting")
• CWE™-539. Use of persistent cookies containing sensitive information
• CWE™-1275. Sensitive cookie with improper sameSite attribute
• NIST 800-63B-7_1_1. Browser cookies
• OWASP TOP 10-A2. Cryptographic failures
• OWASP TOP 10-A3. Injection
• OWASP TOP 10-A7. Identification and authentication failures
• MITRE ATT&CK®-M1021. Restrict web-based content
• PA-DSS-5_2_7. Cross-site scripting (XSS)
• PA-DSS-5_2_9. Cross-site request forgery (CSRF)
• PA-DSS-5_2_10. Broken authentication and session management
• SANS 25-9. Cross-Site Request Forgery (CSRF)
• ISO/IEC 27002-8_26. Application security requirements
• ISA/IEC 62443-SI-3_8. Session integrity
• WASSEC-1_1. Transport support
• WASSEC-3_2_1. HTTP cookies
• WASSEC-6_2_2_5. Authorization - Session weaknesses
• WASSEC-6_2_3_2. Client-side attacks - Cross-site scripting
• WASSEC-6_2_3_5. Client-side attacks - Cross-site request forgery
• WASC-A_08. Cross-site scripting
• WASC-A_09. Cross-site request forgery
• ISSAF-T_13_2. Web application assessment - Test invalidated parameters (Cross Site Scripting)
• ISSAF-T_13_3. Web application assessment - Test invalidated parameters (Cross Site Tracing)
• ISSAF-T_14_3. Web application assessment - Cookie manipulation
• ISSAF-T_16_1. Web application assessment - Input validation (validate data)
• ISSAF-T_19_1. Web application assessment - Global Countermeasures (client-side)
• ISSAF-V_10. Application security - Source code auditing (Cross Site Scripting XSS)
• PTES-5_2_3_1. Vulnerability analysis - Web application scanners (application flaw scanners)
• MVSP-2_2. Application design controls - HTTPS only
• MVSP-3_3. Application implementation controls - Vulnerability prevention
• OWASP SCP-4. Session management
• BSAFSS-SC_3-3. Secure Coding (secure software against unsafe functions)
• CWE TOP 25-79. Improper neutralization of input during web page generation (cross-site scripting)
• CWE TOP 25-352. Cross-site request forgery (CSRF)
• OWASP ASVS-3_2_3. Session binding
• OWASP ASVS-3_4_2. Cookie-based session management
• OWASP ASVS-3_4_3. Cookie-based session management
• PCI DSS-6_2_4. Software engineering techniques to prevent or mitigate common software attacks
• PCI DSS-6_4_1. Public-facing web applications are protected against attacks
• SIG Lite-SL_81. Is HTTPS enabled for all web pages used as part of the scoped service?
• SIG Core-I_2_7_1. Application security
• SIG Core-I_3_2_4. Application security
• OWASP ASVS-3_4_1. Cookie-based session management
• OWASP ASVS-3_4_4. Cookie-based session management
• OWASP ASVS-3_4_5. Cookie-based session management
• OWASP ASVS-13_2_3. RESTful web service
• ISO/IEC 27001-8_26. Application security requirements
• CASA-3_2_3. Session Binding
• CASA-3_4_1. Cookie-based Session Management
• CASA-3_4_2. Cookie-based Session Management
• CASA-3_4_3. Cookie-based Session Management

Vulnerabilities

• 007. Cross-site request forgery
• 008. Reflected cross-site scripting (XSS)
• 010. Stored cross-site scripting (XSS)
• 042. Insecurely generated cookies
• 128. Insecurely generated cookies - HttpOnly
• 129. Insecurely generated cookies - SameSite
• 130. Insecurely generated cookies - Secure

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.