Need

Enforce secure cookie generation by setting the HttpOnly attribute

Context

• Usage of Python 3 for scripting and application development
• Usage of Django for building web applications in Python

Description

Non compliant code

        from django.http import HttpResponse

def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('cookie_name', 'cookie_value')
    return response
        
        

In the above piece of code, a cookie is being set without properly setting the HttpOnly attribute. The set_cookie function in Django's HttpResponse class is used to set a cookie. The function takes two arguments: the name of the cookie and the value of the cookie.

However, the HttpOnly attribute is not being set. The HttpOnly attribute is an important security measure that helps to mitigate the risk of cross-site scripting (XSS) attacks. When the HttpOnly attribute is set, it prevents the cookie from being accessed through client-side scripts. This means that even if an attacker can inject a script into the page, they cannot read the cookie or send it to their own malicious server.

Without the HttpOnly attribute, if an XSS vulnerability exists elsewhere in the application, an attacker could potentially steal sensitive information stored in cookies. Therefore, it is crucial to always set the HttpOnly attribute when setting cookies.

Steps

• Identify the part of the code where the cookie is being set.
• Ensure that the HttpOnly attribute is set to true when setting the cookie. This attribute prevents client-side scripts from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks.
• In Django, this can be done by passing an additional argument to the set_cookie method. The argument should be httponly set to True.
• Test the application to ensure that cookies are now being set with the HttpOnly attribute.

Compliant code

        from django.http import HttpResponse

def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('cookie_name', 'cookie_value', httponly=True)
    return response
        
        

The above code is a fixed version of the previously vulnerable code. The vulnerability was that the application's cookies were being generated without properly setting the HttpOnly attribute. This attribute is crucial for security as it prevents client-side scripts from accessing the cookie, thereby reducing the risk of cross-site scripting (XSS) attacks.

In the fixed code, the set_cookie method is called with an additional argument httponly=True. This ensures that the HttpOnly attribute is set to true when the cookie is being set.

The set_cookie method now looks like this: response.set_cookie('cookie_name', 'cookie_value', httponly=True).

The 'cookie_name' and 'cookie_value' are the name and value of the cookie respectively, and the httponly=True part is setting the HttpOnly attribute to true.

After implementing this fix, it's important to test the application to ensure that cookies are now being set with the HttpOnly attribute. This can be done by inspecting the cookies in your browser's developer tools, or by using a tool like curl or Postman to inspect the HTTP headers.

References

• 128. Insecurely generated cookies - HttpOnly