56 lines
2.7 KiB
Plaintext
56 lines
2.7 KiB
Plaintext
=== on 3 Dec 2014, 14:51:04 Ann Campbell wrote:
|
|
The goal of this rule is to track the use of cookies. Security auditors can then decide which cookies need attention.
|
|
|
|
=== on 12 Dec 2014, 20:44:22 Sébastien Gioria wrote:
|
|
As a Security auditor, I must said : "you should never store any sensitive information in a cookie".
|
|
|
|
=== on 12 Dec 2014, 20:52:16 Ann Campbell wrote:
|
|
\[~sebastien.gioria] if you're talking about the title, the current version follows our standards:
|
|
|
|
X should [not] y
|
|
|
|
cc [~freddy.mallet]
|
|
|
|
=== on 12 Dec 2014, 21:09:38 Sébastien Gioria wrote:
|
|
\[~ann.campbell.2]: I refer to the Message in the rule : "If the data stored in this cookie is sensitive, it should be encrypted or stored internally in the user session. "
|
|
|
|
|
|
Message should be : "If the data stored in this cookie is sensitive, it should be stored internally in the user session. "
|
|
|
|
|
|
|
|
=== on 15 Dec 2014, 10:32:07 Freddy Mallet wrote:
|
|
I agree with [~sebastien.gioria] [~ann.campbell.2], we should remove the "encrypted" option in the remediation action.
|
|
|
|
=== on 15 Dec 2014, 14:53:18 Ann Campbell wrote:
|
|
Done [~sebastien.gioria]
|
|
|
|
cc [~freddy.mallet]
|
|
|
|
=== on 20 Jul 2015, 07:44:10 Ann Campbell wrote:
|
|
Tagged java-top by Ann
|
|
|
|
=== on 7 Mar 2018, 19:01:41 Ann Campbell wrote:
|
|
\[~alexandre.gigleux] that "derived from" reference you omitted was there because of discussions and agreement with the FindSecBugs author. Granted, this was several years ago (the Geneva office was still on 5) but...
|
|
|
|
=== on 9 Mar 2018, 20:51:25 Alexandre Gigleux wrote:
|
|
\[~ann.campbell.2] Fixed
|
|
|
|
=== on 28 Mar 2018, 16:35:00 Alexandre Gigleux wrote:
|
|
This is a "Security Hotspot".
|
|
|
|
=== on 14 May 2018, 08:57:31 Andrei Epure wrote:
|
|
Having the https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[FindSecBugs rule COOKIE_USAGE] in the description is a bit misleading. The description of the rule is ok, but the actual find-sec-bugs implementation is inside https://github.com/find-sec-bugs/find-sec-bugs/blob/1d288ef15122a4d883343769dd221cbe7bbeecb1/plugin/src/main/java/com/h3xstream/findsecbugs/cookie/CookieReadDetector.java[CookieReadDetector.java] which merely detects if the cookie is read.
|
|
|
|
=== on 15 Nov 2018, 14:32:20 Alexandre Gigleux wrote:
|
|
\[~andrei.epure] This rule was inspired by FindSecBugs one and we agreed years ago with the main contributor of FindSecBugs to keep a reference to his rule.
|
|
|
|
=== on 21 May 2019, 19:49:42 Ann Campbell wrote:
|
|
It's not _writing_ cookies that's the (potential) problem but what you store in them, right?
|
|
|
|
=== on 27 May 2020, 16:51:51 Eric Therond wrote:
|
|
Deprecated because it overlaps with rules related to cookies (flags etc)
|
|
|
|
The content of a cookies is often sensitive (session id, tracking id), it's their goal, there is nothing to fix when an issue is raised here.
|
|
|