ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

discussion - merge 3.4.6 to 3.4.2?

Open elarlang opened this issue 3 years ago • 2 comments

I created 3.4.6 myself but now watching it, I think in a way those are duplicates 3.4.2 and can be merged.

From checklist perspective those are separate checks, but those are having the same goal - session token cookie value should not be readable for JavaScript.

V3.4 Cookie-based Session Management

# Description L1 L2 L3 CWE NIST §
3.4.2 Verify that cookie-based session tokens have the 'HttpOnly' attribute set. (C6) 1004 7.1.1
3.4.6 [ADDED] Verify that cookie-based session tokens are only transferred in Set-Cookie and Cookie headers. 200

If do not merge, then 3.4.6 to "Verify that cookie-based session tokens are only transferred to client in a Set-Cookie header"

elarlang avatar May 12 '22 11:05 elarlang

I think these are fine as separate requirements.

An alternative would be to have a requirement like "Verify that session tokens are not accessible by JavaScript", but that is too broad in my opinion. Both testers and implementors would not know what is included in that requirement.

Sjord avatar Aug 13 '22 12:08 Sjord

Maybe combination of them?

Something like (wording/grammar help needed): Verify that cookie-based session tokens are not readable for client-side scripts - session token cookie has the 'HttpOnly' attribute set and cookie value is transferred to the client only in the Set-Cookie header.

elarlang avatar Oct 03 '22 06:10 elarlang

I think we should keep them as separate.

@elarlang why did you remove the bit about the "Cookie header". It seems to me that the Set-Cookie and Cookie headers are indeed the only places we want to see these

tghosth avatar Jul 10 '23 18:07 tghosth

Cookie header does not add any limits here. If a cookie is set, it's transferred anyway via Cookie header.

If client-side javascript can not read cookie (httponly), it can not be sent any other way.

If cookie is set only via set-cookie header, it can not be read by javascript on the client side (from HTTP response body for example).

elarlang avatar Jul 17 '23 07:07 elarlang

Created #1705 to resolve this.

tghosth avatar Aug 06 '23 00:08 tghosth

Current: Verify that cookie-based session tokens are not readable by client-side scripts. The session token cookie should have the 'HttpOnly' attribute set and the cookie value should only be transferred to the client via the Set-Cookie header.

Correction proposal: Verify that cookie-based session tokens are not readable by client-side scripts. The session token cookie should have the 'HttpOnly' attribute set and the session token value should only be transferred to the client via the Set-Cookie header.

elarlang avatar Oct 17 '23 10:10 elarlang