isSecure
parameter set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, and the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.isSecure
parameter to true
.
...
Cookie cookie = new Cookie('emailCookie', emailCookie, path, maxAge, false, 'Strict');
...
isSecure
parameter, cookies sent during an HTTPS request are also sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, and sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
property.
...
HttpCookie cookie = new HttpCookie("emailCookie", email);
Response.AppendCookie(cookie);
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag to true
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or session identifiers, or carries a CSRF token.Secure
flag.
cookie := http.Cookie{
Name: "emailCookie",
Value: email,
}
http.SetCookie(response, &cookie)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.use-secure-cookie
attribute enables the remember-me
cookie to be sent over unencrypted transport.
<http auto-config="true">
...
<remember-me use-secure-cookie="false"/>
</http>
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
property to true
.
res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true, secure: false});
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.NSHTTPCookieSecure
flag set to TRUE
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag to true
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
setcookie("emailCookie", $email, 0, "/", "www.example.com");
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag to True
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or session identifiers, or carries a CSRF token.Secure
flag.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email)
return res
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, secure = false))
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.NSHTTPCookieSecure
flag set to TRUE
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar"
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.CSRF_COOKIE_SECURE
property to True
or set it to False
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data, session identifiers, or carries a CSRF token.Secure
bit for CSRF cookies.
...
MIDDLEWARE = (
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.security.SecurityMiddleware',
...
)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
property.
HttpCookie cookie = new HttpCookie("emailCookie", email);
Response.AppendCookie(cookie);
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
cookie := http.Cookie{
Name: "emailCookie",
Value: email,
}
...
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
property.
javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("emailCookie", email);
// Missing a call to: cookie.setHttpOnly(true);
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.httpOnly
property.
res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin'});
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
property.
setcookie("emailCookie", $email, 0, "/", "www.example.com", TRUE); //Missing 7th parameter to set HttpOnly
HttpOnly
flag to True
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email)
return res
...
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
property.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, httpOnly = false))
HttpCookie.HttpOnly
property to true
.httpOnlyCookies
attribute is false, meaning that the cookie is accessible through a client-side script. This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the user or obtain sensitive information.
<configuration>
<system.web>
<httpCookies httpOnlyCookies="false">
HttpOnly
flag to true
for CSRF cookies.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.django.middleware.csrf.CsrfViewMiddleware
Django middleware, CSRF cookies are sent without setting the HttpOnly
property.
...
MIDDLEWARE = (
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.security.SecurityMiddleware',
...
)
...
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
flag to true
.
server.servlet.session.cookie.http-only=false
HttpOnly
flag to true
.HttpOnly
cookie property to prevent client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without the HttpOnly
flag enabled, attackers have easier access to user cookies.HttpOnly
flag to true
.
session_set_cookie_params(0, "/", "www.example.com", true, false);
HttpOnly
flag to true
for session cookies.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
...
MIDDLEWARE = (
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.security.SecurityMiddleware',
...
)
...
SESSION_COOKIE_HTTPONLY = False
...
__Host-
or __Secure-
prefix must have the Secure attribute set, must not set Domain attribute, and must restrict Path attribute value to /
.__Host-
and __Secure-
prefix must be set with the secure attribute. They must be set from a secure page (HTTPS). Additionally, a __Host-
prefixed cookie must not have a domain attribute specified (so that it is not sent to subdomains) and the path attribute must be set to /
. Violation of these rules can cause a browser to reject the cookie. Restricting a cookie's access to a secure channel protects it from being sent or being overwritten by a forged site over an unencrypted HTTP channel. Restrictions provided by the __Host
prefix prevent a cookie from being accessed by a subdomain where the subdomain might be owned by different entities such as a shared blog platform.SameSite
attribute on session cookies.SameSite
parameter limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
parameter can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originated to the host from third-party sites. For example, suppose a third-party site has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute to None
for session cookies.
...
Cookie cookie = new Cookie('name', 'Foo', path, -1, true, 'None');
...
SameSite
attribute on session cookies.SameSite
attribute limits the scope of the cookie such that it will only be attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
attribute can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originating from third-party sites, including those that have either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
...
CookieOptions opt = new CookieOptions()
{
SameSite = SameSiteMode.None;
};
context.Response.Cookies.Append("name", "Foo", opt);
...
SameSite
attribute on session cookies.SameSite
attribute limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
attribute can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originated to the host from third-party sites. For example, suppose a third-party site has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
c := &http.Cookie{
Name: "cookie",
Value: "samesite-none",
SameSite: http.SameSiteNoneMode,
}
SameSite
attribute on session cookies.SameSite
attribute limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
attribute can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originating from third-party sites, including those that have either iframe
or href
tags that link to the host site. For example, suppose there is a third-party site that has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
ResponseCookie cookie = ResponseCookie.from("myCookie", "myCookieValue")
...
.sameSite("None")
...
SameSite
attribute on session cookies.SameSite
attribute limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
attribute can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originating from third-party sites, including those that have either iframe
or href
tags that link to the host site. For example, suppose there is a third-party site that has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
app.get('/', function (req, res) {
...
res.cookie('name', 'Foo', { sameSite: false });
...
}
SameSite
attribute on session cookies.SameSite
attribute limits the scope of the cookie such that it will only be attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
attribute can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originated to the host from third-party sites. For example, suppose a third-party site has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
ini_set("session.cookie_samesite", "None");
SameSite
attribute on session cookies.samesite
parameter limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The samesite
parameter can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originated to the host from third-party sites. For example, suppose a third-party site has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
attribute for session cookies.
response.set_cookie("cookie", value="samesite-none", samesite=None)
Legacy
appended to cookiename. Sites can look for this legacy cookie if it does not find a cookie that was set with SameSite=None..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
, and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
HttpCookie cookie = new HttpCookie("sessionID", sessionID);
cookie.Domain = ".example.com";
http://insecure.example.com/
and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
cookie := http.Cookie{
Name: "sessionID",
Value: getSessionID(),
Domain: ".example.com",
}
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from Secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
Cookie cookie = new Cookie("sessionID", sessionID);
cookie.setDomain(".example.com");
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
cookie_options = {};
cookie_options.domain = '.example.com';
...
res.cookie('important_cookie', info, cookie_options);
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:@".example.com" forKey:NSHTTPCookieDomain];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
setcookie("mySessionId", getSessionID(), 0, "/", ".example.com", true, true);
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("mySessionId", getSessionID(), domain=".example.com")
return res
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, domain = Some(".example.com")))
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with the domain ".example.com
" when a user logs in.
...
let properties = [
NSHTTPCookieDomain: ".example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum. For example:
...
String path = '/';
Cookie cookie = new Cookie('sessionID', sessionID, path, maxAge, true, 'Strict');
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
", however, doing so exposes the cookie to all web applications on the same domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
HttpCookie cookie = new HttpCookie("sessionID", sessionID);
cookie.Path = "/";
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
cookie := http.Cookie{
Name: "sessionID",
Value: sID,
Expires: time.Now().AddDate(0, 0, 1),
Path: "/",
}
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a forum user clicks this link, the browser sends the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
Cookie cookie = new Cookie("sessionID", sessionID);
cookie.setPath("/");
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
cookie_options = {};
cookie_options.path = '/';
...
res.cookie('important_cookie', info, cookie_options);
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:@"/" forKey:NSHTTPCookiePath];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
setcookie("mySessionId", getSessionID(), 0, "/", "communitypages.example.com", true, true);
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("sessionid", value) # Path defaults to "/"
return res
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, path = "/"))
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with the path "/
" when users log in to the forum.
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
..example.com
". However, doing so exposes the session cookie to all web applications on the base domain name and any sub-domains. Leaking session cookies can lead to account compromises.http://secure.example.com/
and the application sets a session cookie with the domain ".example.com
" when users log in.
server.servlet.session.cookie.domain=.example.com
http://insecure.example.com/
and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
..example.com
". This exposes the session cookie to all web applications on the base domain and any sub-domains. Sharing session cookies across applications can lead to a vulnerability in one application causing a compromise in another.http://secure.example.com/
and the application sets a session cookie with the domain ".example.com
" when users log in.
session_set_cookie_params(0, "/", ".example.com", true, true);
http://insecure.example.com/
and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
./
"). This exposes the cookie to all web applications on the same domain. Leaking session cookies can lead to account compromises because an attacker may steal the session cookie using a vulnerability in any of the applications on the domain.http://communitypages.example.com/MyForum
and the application sets a session cookie with the path "/
" when users log in to the forum. For example:
server.servlet.session.cookie.path=/
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a forum user clicks this link, their browser will send the session cookie set by /MyForum
to the application running at /EvilSite
. By using the session cookie provided from the user on /MyForum
, the attacker can compromise the account of any forum user that browses to /EvilSite
./
"). This exposes the cookie to all web applications on the same domain. Leaking session cookies can lead to account compromises because an attacker may steal the session cookie using a vulnerability in any of the applications on the domain.http://communitypages.example.com/MyForum
and the application sets a session cookie with the path "/
" when users log in to the forum.
session_set_cookie_params(0, "/", "communitypages.example.com", true, true);
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a forum user clicks this link, their browser will send the session cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session cookie, the attacker can compromise the account of any forum user that browsed to /EvilSite
.SameSite
parameter on session cookies is not set to Strict
.SameSite
parameter limits the scope of the cookie so that it is only attached to a request if the request is generated from first-party or same-site context. This helps to protect cookies from Cross-Site Request Forgery (CSRF) attacks. The SameSite
parameter can have the following three values:Strict
, cookies are only sent along with requests upon top-level navigation.Lax
, cookies are sent with top-level navigation from the same host as well as GET requests originated to the host from third-party sites. For example, suppose a third-party site has either iframe
or href
tags that link to the host site. If a user follows the link, the request will include the cookie.SameSite
parameter to Lax
for session cookies.
...
Cookie cookie = new Cookie('name', 'Foo', path, -1, true, 'Lax');
...
SameSite
attribute on session cookies is not set to Strict
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker is able to lure an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie authorizing the user, effectively authorizing the attacker as if they were the user.SameSite
attribute to Strict
in session cookies. This restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.SameSite
attribute to Lax
for session cookies.
...
CookieOptions opt = new CookieOptions()
{
SameSite = SameSiteMode.Lax;
};
context.Response.Cookies.Append("name", "Foo", opt);
...
SameSite
attribute on session cookies is not set to SameSiteStrictMode
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker is able to lure an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie authorizing the user, effectively authorizing the attacker as if they were the user.SameSiteStrictMode
for the SameSite
attribute, which restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.SameSiteLaxMode
in the SameSite
attribute for session cookies.
c := &http.Cookie{
Name: "cookie",
Value: "samesite-lax",
SameSite: http.SameSiteLaxMode,
}
SameSite
attribute on session cookies is not set to Strict
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker is able to lure an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie authorizing the user, effectively authorizing the attacker as if they were the user.SameSite
attribute to Strict
in session cookies. This restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.SameSite
attribute to Lax
for session cookies.
ResponseCookie cookie = ResponseCookie.from("myCookie", "myCookieValue")
...
.sameSite("Lax")
...
}
SameSite
attribute on session cookies is not set to Strict
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker is able to lure an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie authorizing the user, effectively authorizing the attacker as if they were the user.SameSite
attribute to Strict
in session cookies. This restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.SameSite
attribute to Lax
for session cookies.
app.get('/', function (req, res) {
...
res.cookie('name', 'Foo', { sameSite: "Lax" });
...
}
SameSite
attribute on session cookies is not set to Strict
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker is able to lure an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie authorizing the user, effectively authorizing the attacker as if they were the user.Strict
for the SameSite
attribute, which restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.Lax
mode in the SameSite
attribute for session cookies.
ini_set("session.cookie_samesite", "Lax");
SameSite
attribute on session cookies is not set to Strict
.SameSite
attribute protects cookies from attacks such as Cross-Site Request Forgery (CSRF). Session cookies represent a user to the site so that the user can perform authorized actions. However, the browser automatically sends the cookies with the request and therefore users and web sites implicitly trust the browser for authorization. An attacker can misuse this trust and make a request to the site on behalf of the user by embedding links inside the href
and src
attribute of tags such as link
and iframe
in third-party site pages that an attacker controls. If an attacker lures an unsuspecting user to the third-party site that they control, the attacker can make requests that automatically include the session cookie with user authorization. This effectively gives the attacker access with the user's authorization.Strict
for the SameSite
parameter, which restricts the browser to append cookies only to requests that are either top-level navigation or originate from the same site. Requests that originate from third-party sites via links in various tags such as iframe
, img
, and form
do not have these cookies and therefore prevent the site from taking action that the user might not have authorized.Lax
in the samesite
attribute for session cookies.
response.set_cookie("cookie", value="samesite-lax", samesite="Lax")
...
Integer maxAge = 60*60*24*365*10;
Cookie cookie = new Cookie('emailCookie', emailCookie, path, maxAge, true, 'Strict');
...
HttpCookie cookie = new HttpCookie("emailCookie", email);
cookie.Expires = DateTime.Now.AddYears(10);;
Cookie cookie = new Cookie("emailCookie", email);
cookie.setMaxAge(60*60*24*365*10);
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:[[NSDate date] dateByAddingTimeInterval:(60*60*24*365*10)] forKey:NSHTTPCookieExpires];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
setcookie("emailCookie", $email, time()+60*60*24*365*10);
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email, expires=time()+60*60*24*365*10, secure=True, httponly=True)
return res
...
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, maxAge = Some(60*60*24*365*10)))
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true,
NSHTTPCookieExpires : NSDate(timeIntervalSinceNow: (60*60*24*365*10))
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
server.servlet.session.cookie.persistent=true
session_set_cookie_params(time()+60*60*24*365*10, "/", "www.example.com", false, true);
Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
<configuration>
<system.web>
<authentication mode="Forms">
<forms requireSSL="false" loginUrl="login.aspx">
</forms>
</authentication>
</system.web>
</configuration>
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag for session cookies.
server.servlet.session.cookie.secure=false
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag to true
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
setcookie("emailCookie", $email, 0, "/", "www.example.com");
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.SESSION_COOKIE_SECURE
property to True
or set it to False
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data, session identifiers, or carries a CSRF token.Secure
bit for session cookies.
...
MIDDLEWARE = (
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.security.SecurityMiddleware',
...
)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.username
and password
to the JSON file located at C:\user_info.json
:
...
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);
using (JsonWriter writer = new JsonTextWriter(sw))
{
writer.Formatting = Formatting.Indented;
writer.WriteStartObject();
writer.WritePropertyName("role");
writer.WriteRawValue("\"default\"");
writer.WritePropertyName("username");
writer.WriteRawValue("\"" + username + "\"");
writer.WritePropertyName("password");
writer.WriteRawValue("\"" + password + "\"");
writer.WriteEndObject();
}
File.WriteAllText(@"C:\user_info.json", sb.ToString());
JsonWriter.WriteRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to C:\user_info.json
would be:
{
"role":"default",
"username":"mallory",
"role":"admin",
"password":"Evil123!"
}
Dictionary
object with JsonConvert.DeserializeObject()
as so:
String jsonString = File.ReadAllText(@"C:\user_info.json");
Dictionary<string, string> userInfo = JsonConvert.DeserializeObject<Dictionary<string, strin>>(jsonString);
username
, password
, and role
keys in the Dictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
username := r.FormValue("username")
password := r.FormValue("password")
...
jsonString := `{
"username":"` + username + `",
"role":"default"
"password":"` + password + `",
}`
...
f, err := os.Create("~/user_info.json")
defer f.Close()
jsonEncoder := json.NewEncoder(f)
jsonEncoder.Encode(jsonString)
}
username
and password
is not validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, which can possibly change the serialized JSON structure. In this example, if the non-privileged user mallory
with password Evil123!
appended ","role":"admin
when she entered her username, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"default",
"password":"Evil123!",
"role":"admin"
}
mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
JsonFactory jfactory = new JsonFactory();
JsonGenerator jGenerator = jfactory.createJsonGenerator(new File("~/user_info.json"), JsonEncoding.UTF8);
jGenerator.writeStartObject();
jGenerator.writeFieldName("username");
jGenerator.writeRawValue("\"" + username + "\"");
jGenerator.writeFieldName("password");
jGenerator.writeRawValue("\"" + password + "\"");
jGenerator.writeFieldName("role");
jGenerator.writeRawValue("\"default\"");
jGenerator.writeEndObject();
jGenerator.close();
JsonGenerator.writeRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
HashMap
object with Jackson's JsonParser
as so:
JsonParser jParser = jfactory.createJsonParser(new File("~/user_info.json"));
while (jParser.nextToken() != JsonToken.END_OBJECT) {
String fieldname = jParser.getCurrentName();
if ("username".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("password".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("role".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if (userInfo.size() == 3)
break;
}
jParser.close();
username
, password
, and role
keys in the HashMap
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
var str = document.URL;
var url_check = str.indexOf('name=');
var name = null;
if (url_check > -1) {
name = decodeURIComponent(str.substring((url_check+5), str.length));
}
$(document).ready(function(){
if (name !== null){
var obj = jQuery.parseJSON('{"role": "user", "name" : "' + name + '"}');
...
}
...
});
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
jQuery.parseJSON()
and set to a plain object, meaning that obj.role
would now return "admin" instead of "user"_usernameField
and _passwordField
:
...
NSString * const jsonString = [NSString stringWithFormat: @"{\"username\":\"%@\",\"password\":\"%@\",\"role\":\"default\"}" _usernameField.text, _passwordField.text];
NSString.stringWithFormat:
, the untrusted data in _usernameField
and _passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the _usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
NSError *error;
NSDictionary *jsonData = [NSJSONSerialization JSONObjectWithData:[jsonString dataUsingEncoding:NSUTF8StringEncoding] options:NSJSONReadingAllowFragments error:&error];
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
import json
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
url = 'https://www.example.com/some_path?name=some_value'
parsed_url = urlparse(url)
untrusted_values = parse_qs(parsed_url.query)['name'][0]
with open('data.json', 'r') as json_File:
data = json.load(json_File)
data['name']= untrusted_values
with open('data.json', 'w') as json_File:
json.dump(data, json_File)
...
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
usernameField
and passwordField
:
...
let jsonString : String = "{\"username\":\"\(usernameField.text)\",\"password\":\"\(passwordField.text)\",\"role\":\"default\"}"
usernameField
and passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
var error: NSError?
var jsonData : NSDictionary = NSJSONSerialization.JSONObjectWithData(jsonString.dataUsingEncoding(NSUTF8StringEncoding), options: NSJSONReadingOptions.MutableContainers, error: &error) as NSDictionary
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.