| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Found a configuration file where the same_site attribute is not set to ’lax’ or ‘strict’. Setting ‘same_site’ to ’lax’ or ‘strict’ restricts cookies to a first-party or same-site context, which will protect your cookies and prevent CSRF.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
The Pyramid authentication ticket cookie is missing the recommended ‘samesite=“Lax”’ setting, which means browsers may send this cookie with cross-site requests. Without this protection, your authentication cookies are more vulnerable to being sent to untrusted sites.
If exploited, an attacker could potentially trick a user’s browser into sending authentication cookies to a malicious site, enabling session hijacking or cross-site request forgery (CSRF) attacks. This can lead to unauthorized access to user accounts and sensitive data within your application.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
The code sets cookies in Pyramid responses without explicitly specifying the ‘samesite’ attribute. Without this, browsers may send cookies with cross-site requests, making them more vulnerable to theft or misuse.
If exploited, attackers could perform Cross-Site Request Forgery (CSRF) or steal session cookies by tricking users into making requests from another site. This could lead to unauthorized access to user accounts or sensitive data.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-1275: Sensitive Cookie with Improper SameSite Attribute |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
The code sets cookies in a Pyramid application without properly setting the ‘samesite’ attribute to ‘Lax’. This omission makes cookies more vulnerable to being sent with cross-site requests, increasing the risk of unauthorized access.
If exploited, an attacker could trick a user’s browser into sending your site’s cookies along with cross-site requests, potentially leading to session hijacking or unauthorized actions on behalf of the user. This weakens the application’s defenses against cross-site request forgery (CSRF) and may expose sensitive user data.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
The session cookie is being set without the ‘HttpOnly’ flag enabled. This means client-side scripts can access the cookie, increasing the risk of sensitive information leakage.
If exploited, an attacker could use cross-site scripting (XSS) to steal session cookies from users, potentially hijacking accounts or gaining unauthorized access to sensitive areas of the application.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
The session cookie is being set without the ‘HttpOnly’ flag, which means client-side scripts can access its value. This omission makes the session cookie vulnerable to theft via cross-site scripting (XSS) attacks.
If exploited, an attacker could steal session cookies using malicious scripts, potentially hijacking user sessions and gaining unauthorized access to sensitive user accounts or data. This compromises user security and may lead to data breaches.
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
The code creates or sets cookies without enabling the ‘HttpOnly’ flag, which allows client-side scripts (like JavaScript) to access these cookies. This makes sensitive information stored in cookies more accessible to attackers using cross-site scripting (XSS) attacks.
If exploited, attackers could steal authentication tokens or session identifiers from cookies using malicious scripts, potentially allowing them to hijack user accounts or impersonate users. This weakens overall application security and exposes users to account compromise.
| Property | |
|---|---|
| Language | java |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
A cookie is being set without the ‘HttpOnly’ flag enabled, which means client-side scripts (like JavaScript) can access its value. This makes sensitive information stored in cookies more exposed to attacks such as cross-site scripting (XSS).
If an attacker manages to inject malicious scripts into your site, they could steal cookies without the ‘HttpOnly’ flag, potentially hijacking user sessions or accessing sensitive data. This increases the risk of account compromise and data breaches.
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Found a configuration file where the HttpOnly attribute is not set to true. Setting http_only to true makes sure that your cookies are inaccessible from Javascript, which mitigates XSS attacks. Instead, set the ‘http_only’ like so: http_only => true
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Found a configuration file where the lifetime attribute is over 30 minutes.