Insecurely generated cookies - HttpOnly - Go

Insecurely generated cookies - HttpOnly - Go

Need

Secure generation of cookies with the HttpOnly attribute

Context

  • Usage of Go 1.16 for developing high-performance and efficient applications
  • Usage of Gin framework for building web applications in Go

Description

Non compliant code

        package main

import (
    "github.com/gin-gonic/gin"
)

func main() {
    r := gin.Default()

    r.GET("/cookie", func(c *gin.Context) {
        c.SetCookie("cookie_name", "cookie_value", 3600, "/", "localhost", false, false)
    })

    r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

In the above code, a cookie is being set in the /cookie endpoint without properly setting the HttpOnly attribute.

The SetCookie function has the following signature:

                func (c *Context) SetCookie(name, value string, maxAge int, path, domain string, secure, httpOnly bool)

            


In the provided code, the httpOnly parameter is set to false, which means that the cookie can be accessed through client-side scripts. This can potentially lead to security issues like Cross-Site Scripting (XSS) attacks, where an attacker might be able to steal the cookie and use it for session hijacking.

The secure parameter is also set to false, which means that the cookie can be transmitted over unsecured HTTP connections. This can potentially lead to Man-in-the-Middle (MitM) attacks, where an attacker can intercept the HTTP traffic and steal the cookie.

In order to fix this vulnerability, the httpOnly parameter should be set to true to prevent client-side scripts from accessing the cookie, and the secure parameter should be set to true to ensure that the cookie is only transmitted over secure HTTPS connections.

Steps

  • Set the HttpOnly attribute when generating cookies.
  • Use the Secure attribute for cookies if the application is served over HTTPS.
  • Ensure that the cookie is only accessible on the intended domain by setting the Domain attribute appropriately.
  • Set the Path attribute to restrict the cookie to a specific path if necessary.
  • Use a longer and more secure cookie value to enhance security.
  • Consider using a library or framework-specific method to generate cookies securely.

Compliant code

        package main

import (
    "github.com/gin-gonic/gin"
)

func main() {
    r := gin.Default()

    r.GET("/cookie", func(c *gin.Context) {
        c.SetCookie("cookie_name", "cookie_value", 3600, "/", "localhost", true, true)
    })

    r.Run() // listen and serve on 0.0.0.0:8080
}
        
        

The original code was vulnerable because it was setting cookies without the HttpOnly attribute, which can expose the application to attacks such as cross-site scripting (XSS).

The HttpOnly attribute is a flag that can be included when setting a cookie to restrict access to the cookie from client-side scripts. This makes it harder for an attacker to steal the cookie through XSS.

The updated code sets the HttpOnly attribute to true when setting the cookie, which means the cookie cannot be accessed through client-side scripts. This significantly reduces the risk of XSS attacks.

In addition, the Secure attribute is also set to true. This means the cookie will only be sent over HTTPS, which provides an additional layer of security by ensuring the cookie is encrypted during transmission.

The other parameters for the SetCookie function are the same as before: the name of the cookie ("cookie_name"), the value of the cookie ("cookie_value"), the max age of the cookie in seconds (3600), the path ("/"), and the domain ("localhost").

Remember, it's also important to use a long and secure value for the cookie, and to restrict the cookie to the intended domain and path. These measures can further enhance the security of your application.

References