include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ---- // === javax.servlet === import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletRequest; public class JavaxServlet { void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) { Cookie cookie = new Cookie("userAccountID", acctID); // Sensitive response.addCookie(cookie); // Sensitive } } ---- ---- // === javax.ws === import java.util.Date; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.NewCookie; class JavaxWs { void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name, String value, String path, String domain, int version) { Cookie cookie= new Cookie("name", "value"); // Sensitive new NewCookie(cookie); // Sensitive new NewCookie(cookie, comment, maxAge, secure); // Sensitive new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly); // Sensitive new NewCookie(name, value); // Sensitive new NewCookie(name, value, path, domain, version, comment, maxAge, secure); // Sensitive new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly); // Sensitive new NewCookie(name, value, path, domain, comment, maxAge, secure); // Sensitive new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly); // Sensitive } } ---- ---- // === java.net === import java.net.HttpCookie; class JavaNet { void httpCookie(HttpCookie hc) { HttpCookie cookie = new HttpCookie("name", "value"); // Sensitive cookie.setValue("value"); // Sensitive } } ---- ---- // === apache.shiro === import org.apache.shiro.web.servlet.SimpleCookie; class ApacheShiro { void shiroCookie(SimpleCookie cookie) { SimpleCookie sc = new SimpleCookie(cookie); // Sensitive cookie.setValue("value"); // Sensitive } } ---- ---- // === Play === import play.mvc.Http.Cookie; import play.mvc.Http.CookieBuilder; class Play { void playCookie() { CookieBuilder builder = Cookie.builder("name", "value"); // Sensitive builder.withName("name") .withValue("value") // Sensitive .build(); } } ---- == See * https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure * https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information * https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie * https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side * Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] === Highlighting * the ``++value++`` field, ie the second argument of the ``++new Cookie(...)++`` constructor or * the parameter of the ``++setValue++`` call on a Cookie object ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]