2020-06-30 16:59:06 +02:00
Data in a web session is considered inside the "trust boundary". That is, it is assumed to be trustworthy. But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead to that data being used inappropriately.
2021-02-02 15:02:10 +01:00
2021-01-27 13:42:22 +01:00
This rule raises an issue when data from ``++Cookie++``s or ``++HttpServletRequest++``s is stored in a session.
2020-06-30 16:59:06 +02:00
== Noncompliant Code Example
----
login = request.getParameter("login");
session.setAttribute("login", login); // Noncompliant
----
== See
2021-11-01 15:00:32 +01:00
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A4] - Insecure Design
2020-06-30 16:59:06 +02:00
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
2021-10-28 10:07:16 +02:00
* https://cwe.mitre.org/data/definitions/501.html[MITRE, CWE-501] - Trust Boundary Violation
2020-06-30 16:59:06 +02:00
