Comments (6)
davewichers
commented on June 4, 2024
1
@LuisVentuzelos - I just checked in changes to all the .html files that had Cookies.set() calls in them to add the missing "secure: true" attribute. I'm going to close this issue now, but if you see any problems, let me know.
from benchmarkjava.
davewichers
commented on June 4, 2024
The OWASP Benchmark currently only has deliberate vulns in the Java code. Any vulns in the HTML or JavaScript for the UI you might find are incidental (i.e., not deliberate) and are not scored. If you do find html/JS vulns, please let me know what they are as I might try to fix them. I do try to eliminate unintended vulns, leaving only the intentional ones to be scored.
from benchmarkjava.
LuisVentuzelos
commented on June 4, 2024
Following up on this issue we found an potencial Sensitive Cookie in HTTPS Session Without 'Secure' Attribute vulnerability on the OWASP Project in Javascript on the following files:
-
BenchmarkTest00088.html
-
BenchmarkTest00089.html
-
BenchmarkTest01862.html
-
BenchmarkTest01863.html
For example on the file BenchmarkTest01862.html we have the following function
function setCookie(cname, cvalue, exdays) { Cookies.set(cname, cvalue,{ path: 'BenchmarkTest01862', version: 1 }); $("#cValue").text(document.cookie); }
this function doesn't use the secure protocol flag
We can see this in the documentation:
https://github.com/js-cookie/js-cookie
Can you look into this?
I created a Pull Request to bypass this issue on our solution.
from benchmarkjava.
davewichers
commented on June 4, 2024
There are no intentional vulnerabilities in the .html code, and we don't score them. I've accepted your pull request. Is there anything else you suggest I do related to this? We could fix the .html to eliminate the unintentional vulnerabilities. I do that all the time when tools point out vulns that weren't intended to be there on purpose. If you think I should fix it, would specific change to the code snippet above should I make?
from benchmarkjava.
LuisVentuzelos
commented on June 4, 2024
Thanks Dave :)
Simply adding a secure: true to the set cookie function should be enough . That way we guarantee that the cookie transmission requires a secure protocol
Example:
function setCookie(cname, cvalue, exdays) { Cookies.set(cname, cvalue,{ path: 'BenchmarkTest00077', version: 1, secure: true }); $("#cValue").text(document.cookie); }
from benchmarkjava.
LuisVentuzelos
commented on June 4, 2024
Thanks Dave!
I'll let you know if I have any more issues :)
from benchmarkjava.
Related Issues (20)
- add a new IAST detection tool
- scripts/runHorusec.sh no longer works HOT 9
- BUILD FAILURE:Failed to execute goal com.diffplug.spotless:spotless-maven-plugin:2.22.1:apply (spotless-apply) on project benchmark: Execution spotless-apply of goal com.diffplug.spotless:spotless-maven-plugin:2.22.1:apply failed: Cannot find git repository in any parent directory HOT 4
- BenchmarkTest00209 has an insecure hash vulnerability HOT 2
- My result file can't be identified by the createscorecards.bat HOT 13
- createScorecards.bat - Error resolving version for plugin 'org.owasp:benchmarkutils-maven-plugin' from the repositories HOT 2
- mvn compile or mvn install - Failed to execute goal com.diffplug.spotless:spotless-maven-plugin. HOT 7
- [BUG] The json file output by semgrep is not correctly scored HOT 11
- /usr/bin/jq: Argument list too long HOT 8
- Send custom csv file in createScorecards.sh HOT 8
- Owasp benchmark version in 2018 HOT 5
- GPG key error when building the latest version of ubuntu HOT 1
- deleted
- Trying to create scorecard for Semgrep results but I get empty FluidAttacks scorecard HOT 4
- Assistance Needed with OWASP Benchmark Project for Master's Thesis HOT 2
- Exception in thread "main" java.lang.ExceptionInInitializerError HOT 4
- Add some new vulnerability types HOT 5
- [Q&A] Is ‘file_read’ the desired type of vulnerability in BenchmarkTest00363 HOT 2
- Issue in SQL testcases including ExecuteBatch function HOT 6
- Sonatype URL change for Contrast Java Agent Downloads HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from benchmarkjava.