rspec/rules/S3330/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

If you create a security-sensitive cookie in your JAVA code:

----
Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setHttpOnly(false);  // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----

By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_

----
Cookie c = new Cookie(COOKIENAME, sensitivedata);  // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----

== Compliant Solution

[source,java]
----
Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 5 Mar 2018, 16:44:11 Alexandre Gigleux wrote:
Out of scope: this rule doesn't cover the case of ``++HttpOnly++`` configured properly in a web.xml:


----
<session-config>
 <cookie-config>
  <http-only>true</http-only>
 </cookie-config>
</session-config>
----

=== on 16 May 2018, 14:18:25 Andrei Epure wrote:
Also out of scope:

* https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html[spring configuration] ``++server.servlet.session.cookie.http-only++``
* detecting common class that adds HttpOnly to all cookies passed around the app like Web Filter + https://github.com/ESAPI/esapi-java-legacy/blob/14e60d33207fd6a8e74151932a25b50e0de8e61b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java#L78[SecurityWrapperResponse.addCookie] method of the OWASP ESAPI project (see details in this https://stackoverflow.com/questions/35421596/cookie-http-only-with-spring-security-and-servlet-2-5#35493412[SO answer])


include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`If you create a security-sensitive cookie in your JAVA code:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`Cookie c = new Cookie(COOKIENAME, sensitivedata);`
			`c.setHttpOnly(false); // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability`
			`----`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`Cookie c = new Cookie(COOKIENAME, sensitivedata); // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`----`
			`Cookie c = new Cookie(COOKIENAME, sensitivedata);`
			`c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 5 Mar 2018, 16:44:11 Alexandre Gigleux wrote:`
			Out of scope: this rule doesn't cover the case of ``++HttpOnly++`` configured properly in a web.xml:


			`----`
			`<session-config>`
			`<cookie-config>`
			`<http-only>true</http-only>`
			`</cookie-config>`
			`</session-config>`
			`----`

			`=== on 16 May 2018, 14:18:25 Andrei Epure wrote:`
			`Also out of scope:`

			* https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html[spring configuration] ``++server.servlet.session.cookie.http-only++``
			`* detecting common class that adds HttpOnly to all cookies passed around the app like Web Filter + https://github.com/ESAPI/esapi-java-legacy/blob/14e60d33207fd6a8e74151932a25b50e0de8e61b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java#L78[SecurityWrapperResponse.addCookie] method of the OWASP ESAPI project (see details in this https://stackoverflow.com/questions/35421596/cookie-http-only-with-spring-security-and-servlet-2-5#35493412[SO answer])`


			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`