Protocol: Cookie Security¶

Identifier: header_set_cookie

Scanner(s) Support¶

Description¶

Cookies not secured with the proper flags can be easily intercepted or read by malicious scripts, which could allow attackers to hijack sessions or steal sensitive session data. This happens when cookies are sent over unencrypted connections or are accessible to JavaScript, leaving them exposed to various attacks. Developers commonly overlook setting flags that restrict cookie access, so if cookies arent properly secured, it can lead to significant issues like unauthorized access and session hijacking.

References:

• https://owasp.org/www-community/Security_Headers
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
• https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  header_set_cookie:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.