- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: java-security/cookies-secure-flag
Language: Java
Severity: Warning
Category: Security
CWE: 614
Ensure cookies use the secure
flag or attribute. If not set, it could cause the user agent to send those cookies in plaintext over an HTTP session.
class Compliant {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
String queryString = request.getQueryString();
String paramval = "BenchmarkTest01683" + "=";
int paramLoc = -1;
if (queryString != null) paramLoc = queryString.indexOf(paramval);
if (paramLoc == -1) {
response.getWriter()
.println(
"getQueryString() couldn't find expected parameter '"
+ "BenchmarkTest01683"
+ "' in query string.");
return;
}
String param =
queryString.substring(
paramLoc
+ paramval
.length()); // 1st assume "BenchmarkTest01683" param is last
// parameter in query string.
// And then check to see if its in the middle of the query string and if so, trim off what
// comes after.
int ampersandLoc = queryString.indexOf("&", paramLoc);
if (ampersandLoc != -1) {
param = queryString.substring(paramLoc + paramval.length(), ampersandLoc);
}
param = java.net.URLDecoder.decode(param, "UTF-8");
String bar = new Test().doSomething(request, param);
byte[] input = new byte[1000];
String str = "?";
Object inputParam = param;
if (inputParam instanceof String) str = ((String) inputParam);
if (inputParam instanceof java.io.InputStream) {
int i = ((java.io.InputStream) inputParam).read(input);
if (i == -1) {
response.getWriter()
.println(
"This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
return;
}
str = new String(input, 0, i);
}
if ("".equals(str)) str = "No cookie value supplied";
javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("SomeCookie", str);
cookie.setSecure(false);
cookie.setHttpOnly(true);
cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
response.addCookie(cookie);
response.getWriter()
.println(
"Created cookie: 'SomeCookie': with value: '"
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(str)
+ "' and secure flag set to: false");
}
}
class NotCompliant {
public void setCookie(String field, String value) {
Cookie cookie = new Cookie(field, value);
response.addCookie(cookie);
}
}
class Compliant {
public void setCookie(String field, String value) {
Cookie cookie = new Cookie(field, value);
cookie.setSecure(true);
cookie.setHttpOnly(true);
response.addCookie(cookie);
}
}