Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

huangapple go评论61阅读模式
英文:

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

问题

I am setting some values in cookie through JS in my code. I am passing secure; while setting values to cookie. But still I am getting "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" as vulnerability.

document.cookie=${name}=${val1};domain=${domainName};path=/;secure;;

英文:

I am setting some values in cookie through JS in my code. I am passing secure; while setting values to cookie. But still I am getting "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" as vulnerability.

document.cookie=`${name}=${val1};domain=${domainName};path=/;secure;`;

答案1

得分: 3

看起来你在设置Cookie时设置了secure标志,这是确保Cookie仅通过HTTPS发送的正确方式。然而,漏洞扫描器可能仍将其标记为虚假阳性。

你可以尝试明确设置HttpOnly标志。它确保Cookie不能被客户端脚本访问。你可以像这样将其添加到Cookie中:

document.cookie=${name}=${val1};domain=${domainName};path=/;secure;HttpOnly;

英文:

Looks like you're setting the secure flag while setting the cookie, which is the correct way to make sure the cookie is only ever sent over HTTPS. However, it's possible that the vulnerability scanner is flagging it as a false positive anyways.

You could try explicitly setting the HttpOnly flag as well. It ensures that the cookie cannot be accessed by client-side scripts. You can add it to the cookie like this:

document.cookie=`${name}=${val1};domain=${domainName};path=/;secure;HttpOnly`;

答案2

得分: 0

确保您使用的漏洞检测工具已更新并准确?有可能该工具正在生成虚假阳性或因某种原因未正确检测您代码中的“secure”属性。

也许尝试使用不同的漏洞检测工具,尽管我不确定是否会有效。

我想评论此问题,但我没有足够的声誉来这样做。

英文:

Perhaps make sure that the vulnerability detection tool you're using is updated and accurate? It's possible that the tool is generating a false positive or not properly detecting the "secure" attribute in your code for some reason.

Maybe true using a different vulnerability detection tool, though I'm not sure whether that would work.

I'd comment this, but I don't have the reputation to do so.

huangapple
  • 本文由 发表于 2023年5月29日 18:11:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/76356440.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定