Skip to content

Commit 55fd7c8

Browse files
joefarebrotherjoefarebrother
committed
Update documentation
1 parent 1208195 commit 55fd7c8

File tree

5 files changed

+11
-11
lines changed

5 files changed

+11
-11
lines changed

python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
<overview>
77
<p>Cookies without the <code>HttpOnly</code> flag set are accessible to JavaScript running in the same origin.
88
In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script.
9-
If a cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
9+
If a sensitive cookie does not need to be accessed directly by client-side JS, the <code>HttpOnly</code> flag should be set.</p>
1010
</overview>
1111

1212
<recommendation>

python/ql/src/Security/CWE-1004/examples/InsecureCookie.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,18 @@
44
@app.route("/good1")
55
def good1():
66
resp = make_response()
7-
resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
7+
resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
88
return resp
99

1010

1111
@app.route("/good2")
1212
def good2():
1313
resp = make_response()
14-
resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
14+
resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
1515
return resp
1616

1717
@app.route("/bad1")
1818
def bad1():
1919
resp = make_response()
20-
resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
20+
resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
2121
return resp

python/ql/src/Security/CWE-1275/SameSiteNoneCookie.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55

66
<overview>
77
<p>Cookies with the <code>SameSite</code> attribute set to <code>'None'</code> will be sent with cross-origin requests.
8-
This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user.</p>
8+
This can sometimes allow for Cross-Site Request Forgery (CSRF) attacks, in which a third-party site could perform actions on behalf of a user, if the cookie is used for authentication.</p>
99
</overview>
1010

1111
<recommendation>

python/ql/src/Security/CWE-1275/examples/InsecureCookie.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,18 @@
44
@app.route("/good1")
55
def good1():
66
resp = make_response()
7-
resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
7+
resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
88
return resp
99

1010

1111
@app.route("/good2")
1212
def good2():
1313
resp = make_response()
14-
resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
14+
resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
1515
return resp
1616

1717
@app.route("/bad1")
1818
def bad1():
1919
resp = make_response()
20-
resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
20+
resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
2121
return resp

python/ql/src/Security/CWE-614/examples/InsecureCookie.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,18 @@
44
@app.route("/good1")
55
def good1():
66
resp = make_response()
7-
resp.set_cookie("name", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
7+
resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
88
return resp
99

1010

1111
@app.route("/good2")
1212
def good2():
1313
resp = make_response()
14-
resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
14+
resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set
1515
return resp
1616

1717
@app.route("/bad1")
1818
def bad1():
1919
resp = make_response()
20-
resp.set_cookie("name", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
20+
resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
2121
return resp

0 commit comments

Comments
 (0)