Need

Ensure secure generation and transmission of cookies

Context

• Usage of Python 3 for writing and executing Python code
• Usage of Django for building web applications

Description

Non compliant code

        from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('sensitive_cookie', 'sensitive data')
    return response
        
        

The above code is a simple Django view function that sets a cookie named 'sensitive_cookie' with the value 'sensitive data'. The vulnerability lies in the fact that this cookie is being set without the secure attribute.

The secure attribute is a flag that can be included when the server sends a new cookie to the user within an HTTP response. If the secure attribute is set, then the cookie will only be sent on secure channels i.e., encrypted connections such as HTTPS.

In the above code, the secure attribute is not set when the 'sensitive_cookie' is being created. This means that the cookie can be transmitted over unencrypted connections where it can potentially be intercepted and read by malicious third parties. This constitutes a security risk, especially if the cookie contains sensitive information.

In the context of Django, the secure attribute can be set by passing secure=True to the set_cookie method. The absence of this parameter in the code above is what makes it vulnerable to attacks.

Steps

• Import the settings module from Django.
• Check if the Django settings have the 'SESSION_COOKIE_SECURE' attribute set to True. If not, set it to True. This attribute ensures that the cookie is only sent over HTTPS.
• In the 'set_cookie' method, add a 'secure' parameter and set it to True when setting the cookie. This ensures that the cookie is only sent over secure connections.

Compliant code

        from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
from django.conf import settings

@csrf_exempt
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('sensitive_cookie', 'sensitive data', secure=settings.SESSION_COOKIE_SECURE)
    return response
        
        

The updated code now includes the import of the settings module from Django. This module is used to access the Django settings, which include the 'SESSION_COOKIE_SECURE' attribute. This attribute is used to determine whether cookies should be sent over secure connections (HTTPS) or not.

In the 'set_cookie' method, the 'secure' parameter has been added to the 'set_cookie' function call. This parameter is set to the value of 'SESSION_COOKIE_SECURE' from the Django settings. If 'SESSION_COOKIE_SECURE' is set to True, the 'secure' parameter will also be True, meaning the cookie will only be sent over secure connections. If 'SESSION_COOKIE_SECURE' is not set or is set to False, the 'secure' parameter will be False, and the cookie may be sent over insecure connections.

This change ensures that sensitive cookies are only sent over secure connections, reducing the risk of them being intercepted and read by malicious parties.

References

• 130. Insecurely generated cookies - Secure