Sensitive cookie without 'HttpOnly' and 'Secure' flags
Description
The detected issue pertains to a Rails application where the session configuration, specifically using cookie_store, has been identified with the $KEY attribute set to false. This setting is potentially insecure because it may relate to crucial security attributes such as HttpOnly or Secure flags not being enforced. In the context of web applications, these flags play a vital role in enhancing session security.
Examples
Insecure Code
ruby
Rails.application.config.session_store :cookie_store, key: '_your_app_session', httponly: false, secure: falseSecure Code
ruby
Rails.application.config.session_store :cookie_store, key: '_your_app_session', httponly: true, secure: Rails.env.production?Remediation
Set the 'HttpOnly' and 'Secure' flags to true in the session configuration. For example: `Rails.application.config.session_store :cookie_store, key: '_your_app_session', httponly: true, secure: Rails.env.production?`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0518 |
| Category | Web |
| Severity | LOW |
| CWE | CWE-1004 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | session management, cookie security |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/rails/security/brakeman/check-cookie-store-session-security-attributes.yaml
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes