ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3330/java/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

66 lines
2.2 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
If you create a security-sensitive cookie in your JAVA code:
----
Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setHttpOnly(false); // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
----
By default the https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setHttpOnly(boolean)[``++HttpOnly++``] flag is set to _false:_
----
Cookie c = new Cookie(COOKIENAME, sensitivedata); // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
----
== Compliant Solution
[source,java]
----
Cookie c = new Cookie(COOKIENAME, sensitivedata);
c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 5 Mar 2018, 16:44:11 Alexandre Gigleux wrote:
Out of scope: this rule doesn't cover the case of ``++HttpOnly++`` configured properly in a web.xml:
----
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
----
=== on 16 May 2018, 14:18:25 Andrei Epure wrote:
Also out of scope:
* https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html[spring configuration] ``++server.servlet.session.cookie.http-only++``
* detecting common class that adds HttpOnly to all cookies passed around the app like Web Filter + https://github.com/ESAPI/esapi-java-legacy/blob/14e60d33207fd6a8e74151932a25b50e0de8e61b/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java#L78[SecurityWrapperResponse.addCookie] method of the OWASP ESAPI project (see details in this https://stackoverflow.com/questions/35421596/cookie-http-only-with-spring-security-and-servlet-2-5#35493412[SO answer])
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink