Need

Secure generation of cookies with the HttpOnly attribute

Context

• Usage of TypeScript for type-checking and compiling JavaScript code
• Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/', (req, res) => {
  const sensitiveData = 'sensitive information';
  res.cookie('session', sensitiveData);
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code is that the cookies are generated without properly setting the HttpOnly attribute.

In the code, the res.cookie() function is used to set a cookie named 'session' with the value of the sensitiveData variable. However, the HttpOnly attribute is not set explicitly.

The HttpOnly attribute is an important security feature that prevents client-side scripts, such as JavaScript, from accessing the cookie. This attribute helps to mitigate cross-site scripting (XSS) attacks, where an attacker injects malicious scripts into a website and steals sensitive information, such as session cookies.

Without the HttpOnly attribute, an attacker could potentially perform an XSS attack by injecting malicious scripts into the application and accessing the 'session' cookie. This would allow them to obtain the sensitive information stored in the cookie.

To fix this vulnerability, the application should set the HttpOnly attribute when generating the cookie. This can be done by passing an options object as the third argument to the res.cookie() function and setting the httpOnly property to true.

Steps

• Import the 'cookie-parser' middleware.
• Use the 'cookie-parser' middleware in the application.
• Set the 'httpOnly' option to 'true' when setting the cookie.

Compliant code

        import express from 'express';
import cookieParser from 'cookie-parser';

const app = express();

app.use(cookieParser());

app.get('/', (req, res) => {
  const sensitiveData = 'sensitive information';
  res.cookie('session', sensitiveData, { httpOnly: true });
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by securely generating cookies with the HttpOnly attribute set.

First, the code imports the necessary modules, including express and cookie-parser, which is used to parse cookies in the incoming requests.

The code then creates an instance of the Express application and sets up the cookie-parser middleware using app.use(cookieParser()). This middleware will parse the cookies in the incoming requests and make them available in the req.cookies object.

Next, the code defines a route handler for the root path ( /). Inside this handler, a variable sensitiveData is assigned with the sensitive information that needs to be stored in the cookie.

To securely generate the cookie, the code uses the res.cookie method provided by Express. It sets the cookie with the name 'session', the value of sensitiveData, and an options object as the third argument. In this options object, the httpOnly property is set to true, ensuring that the cookie cannot be accessed or modified by client-side JavaScript.

Finally, the code sends a response with the message 'Hello World!' using res.send. The server is then set to listen on port 3000 using app.listen.

By setting the httpOnly attribute to true in the cookie options, the fixed code ensures that sensitive information stored in the cookie cannot be accessed through cross-site scripting (XSS) attacks.

References

• 128. Insecurely generated cookies - HttpOnly