Reino: Security Features

Segurança de software não é o mesmo que software de segurança. Aqui, estamos interessados em tópicos como autenticação, controle de acesso, confidencialidade, criptografia e gestão de privilégios.

Cookie Security: Overly Permissive SameSite Attribute

Abstract
O atributo SameSite em cookies de sessão não está definido como Strict.
Explanation
Os navegadores anexam cookies automaticamente a cada solicitação HTTP feita ao site que define o cookie. Os cookies podem armazenar dados confidenciais, como ID de sessão e token de autorização ou dados do site que são compartilhados entre diferentes solicitações para o mesmo site durante uma sessão. Um invasor pode realizar um ataque de personificação gerando uma solicitação ao site autenticado de uma página de site de terceiros carregada na máquina cliente porque o navegador anexou automaticamente o cookie à solicitação.

O parâmetro SameSite limita o escopo do cookie para que ele seja anexado apenas a uma solicitação se a solicitação for gerada do contexto primário ou do mesmo site. Isso ajuda a proteger os cookies contra ataques CSRF (Cross-Site Request Forgery). O parâmetro SameSite pode ter os três seguintes valores:

- Strict: Quando definido como Strict, os cookies são enviados apenas com as solicitações na navegação de nível superior.
- Lax: Quando definido como Lax, os cookies são enviados com navegação de nível superior do mesmo host, bem como solicitações GET originadas para o host de sites de terceiros. Por exemplo, suponha que haja um site de terceiros que tenha tags iframe ou href para o site host. Se um usuário seguir o link, a solicitação incluirá o cookie.
- None: Os cookies são enviados em todas as solicitações feitas ao site no caminho e no escopo de domínio definidos para o cookie. As solicitações geradas devido ao envio de formulários usando o método POST também podem enviar cookies com a solicitação.

Exemplo 1: O código a seguir habilita o parâmetro SameSite como Lax para cookies de sessão.

...
Cookie cookie = new Cookie('name', 'Foo', path, -1, true, 'Lax');
...
References
[1] HTTP State Management Mechanism Internet Engineering Task Force
[2] SameSite Browser Compatibility Can I Use
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.apex.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não está definido como Strict.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor conseguir atrair um usuário desavisado para o site de terceiros que ele controla, ele poderá fazer solicitações que incluam automaticamente o cookie de sessão que autoriza o usuário, autorizando efetivamente o invasor como se fosse o usuário.
Defina o valor do atributo SameSite como Strict nos cookies de sessão. Isso restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir define o valor do atributo SameSite como Lax para cookies de sessão.

...
CookieOptions opt = new CookieOptions()
{
SameSite = SameSiteMode.Lax;
};
context.Response.Cookies.Append("name", "Foo", opt);
...
References
[1] HTTP State Management Mechanism Internet Engineering Task Force
[2] SameSite Browser Compatibility Can I Use
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.dotnet.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não é definido como SameSiteStrictMode.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor conseguir atrair um usuário desavisado para o site de terceiros que ele controla, ele poderá fazer solicitações que incluam automaticamente o cookie de sessão que autoriza o usuário, autorizando efetivamente o invasor como se fosse o usuário.
Defina cookies de sessão com o atributo SameSiteStrictMode para SameSite, o que restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir habilita SameSiteLaxMode no atributo SameSite para cookies de sessão.

c := &http.Cookie{
Name: "cookie",
Value: "samesite-lax",
SameSite: http.SameSiteLaxMode,
}
References
[1] SameSite Browser Compatibility Can I Use
[2] Standards Mapping - Common Weakness Enumeration CWE ID 352
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[30] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.golang.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não está definido como Strict.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor conseguir atrair um usuário desavisado para o site de terceiros que ele controla, ele poderá fazer solicitações que incluam automaticamente o cookie de sessão que autoriza o usuário, autorizando efetivamente o invasor como se fosse o usuário.
Defina o valor do atributo SameSite como Strict nos cookies de sessão. Isso restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir define o valor do atributo SameSite como Lax para cookies de sessão.

ResponseCookie cookie = ResponseCookie.from("myCookie", "myCookieValue")
...
.sameSite("Lax")
...
}
References
[1] HTTP State Management Mechanism Internet Engineering Task Force
[2] SameSite Browser Compatibility Can I Use
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.java.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não está definido como Strict.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor conseguir atrair um usuário desavisado para o site de terceiros que ele controla, ele poderá fazer solicitações que incluam automaticamente o cookie de sessão que autoriza o usuário, autorizando efetivamente o invasor como se fosse o usuário.
Defina o valor do atributo SameSite como Strict nos cookies de sessão. Isso restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir define o valor do atributo SameSite como Lax para cookies de sessão.

app.get('/', function (req, res) {
...
res.cookie('name', 'Foo', { sameSite: "Lax" });
...
}
References
[1] HTTP State Management Mechanism Internet Engineering Task Force
[2] SameSite Browser Compatibility Can I Use
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.dataflow.javascript.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não é definido como Strict.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor conseguir atrair um usuário desavisado para o site de terceiros que ele controla, ele poderá fazer solicitações que incluam automaticamente o cookie de sessão que autoriza o usuário, autorizando efetivamente o invasor como se fosse o usuário.
Defina cookies de sessão com o atributo Strict para SameSite, o que restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir habilita o modo Lax no atributo SameSite para cookies de sessão.

ini_set("session.cookie_samesite", "Lax");
References
[1] Runtime Configuration The PHP Group
[2] SameSite Browser Compatibility Can I Use
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.php.cookie_security_overly_permissive_samesite_attribute
Abstract
O atributo SameSite em cookies de sessão não está definido como Strict.
Explanation
O atributo SameSite protege cookies contra ataques como CSRF (Cross-Site Request Forgery). Os cookies de sessão representam um usuário para o site para que ele possa executar ações autorizadas. No entanto, o navegador envia automaticamente os cookies com a solicitação e, portanto, os usuários e os sites confiam implicitamente no navegador para autorização. Um invasor pode usar indevidamente essa confiança e fazer uma solicitação ao site em nome do usuário incorporando links no atributo href e src de tags como link e iframe em páginas de sites de terceiros que um invasor controla. Se um invasor atrair um usuário desavisado para o site de terceiros que ele controla, o invasor poderá fazer solicitações que incluam automaticamente o cookie de sessão com autorização do usuário. Isso efetivamente dá ao invasor acesso com a autorização do usuário.
Defina cookies de sessão como Strict para o parâmetro SameSite, o que restringe o navegador a anexar cookies apenas a solicitações de navegação de nível superior ou originadas do mesmo site. Solicitações originadas de sites de terceiros por meio de links em várias tags, como iframe, img e form, não têm esses cookies e, portanto, evitam que o site execute ações que o usuário possa não ter autorizado.

Exemplo 1: O código a seguir habilita Lax no atributo samesite para cookies de sessão.

response.set_cookie("cookie", value="samesite-lax", samesite="Lax")
References
[1] SameSite Browser Compatibility Can I Use
[2] Standards Mapping - Common Weakness Enumeration CWE ID 352
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.4.3 Cookie-based Session Management (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[30] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.python.cookie_security_overly_permissive_samesite_attribute