Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ID: java-security/cookies-http-only
Language: Java
Severity: Warning
Category: Security
CWE: 614
Description
A cookie must always be created with HttpOnly
. The flag is set to prevent malicious script to use the cookie. Always set HttpOnly
.
Learn More
Non-Compliant Code Examples
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value = "/crypto-01/BenchmarkTest00943")
public class BenchmarkTest00943 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00943", "someSecret");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/crypto-01/BenchmarkTest00943.html");
rd.include(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie[] theCookies = request.getCookies();
String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00943")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}
String bar = new Test().doSomething(request, param);
// Code based on example from:
// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/
try {
javax.crypto.Cipher c = org.owasp.benchmark.helpers.Utils.getCipher();
// encrypt and store the results
byte[] input = {(byte) '?'};
Object inputParam = bar;
if (inputParam instanceof String) input = ((String) inputParam).getBytes();
if (inputParam instanceof java.io.InputStream) {
byte[] strInput = new byte[1000];
int i = ((java.io.InputStream) inputParam).read(strInput);
if (i == -1) {
response.getWriter()
.println(
"This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
return;
}
input = java.util.Arrays.copyOf(strInput, i);
}
byte[] result = c.doFinal(input);
java.io.File fileTarget =
new java.io.File(
new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
"passwordFile.txt");
java.io.FileWriter fw =
new java.io.FileWriter(fileTarget, true); // the true will append the new data
fw.write(
"secret_value="
+ org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
+ "\n");
fw.close();
response.getWriter()
.println(
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");
} catch (javax.crypto.IllegalBlockSizeException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
} catch (javax.crypto.BadPaddingException e) {
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());
throw new ServletException(e);
}
response.getWriter()
.println(
"Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed");
} // end doPost
private class Test {
public String doSomething(HttpServletRequest request, String param)
throws ServletException, IOException {
String bar = "";
if (param != null) {
java.util.List<String> valuesList = new java.util.ArrayList<String>();
valuesList.add("safe");
valuesList.add(param);
valuesList.add("moresafe");
valuesList.remove(0); // remove the 1st safe value
bar = valuesList.get(0); // get the param value
}
return bar;
}
} // end innerclass Test
} // end DataflowThruInnerClass
class NotCompliant {
public void setCookie(String field, String value) {
Cookie cookie = new Cookie(field, value);
cookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
response.addCookie(cookie);
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/weakrand-00/BenchmarkTest00078.html");
rd.include(request, response)
}
}
Compliant Code Examples
class Compliant {
public void setCookie(String field, String value) {
Cookie cookie = new Cookie(field, value);
myMethod();
cookie.setHttpOnly(true);
response.addCookie(cookie);
}
}