akto icon indicating copy to clipboard operation
akto copied to clipboard

Published 20 hours ago verified publisher icon akto-api-security

⚡️Add sensitive data Cookie types

Open Ankita28g opened this issue 1 year ago • 13 comments

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add cookie types as sensitive params.

👀 Impact

Your task will give users the ability to detect cookie types sensitive data types.

🎯 Requirements

  • Understanding of regex
  • Understanding of unit test

✅ Task summary:

  • [ ] Ask to be assigned to the issue.
  • [ ] Wait to be assigned. We will try to assign in less than 2 hours.
  • [ ] Make regular expressions for below cookie types. Feel free to add your own too.
  • [ ] Please provide the reference URL that mentions the nature of the cookie.
  • [ ] Add an entry in fintech.json file
  • [ ] Add a test case entry in TestFintechTypes.java
  • [ ] Submit a pull request here

facebook, intercom, google ads, hotjar, fullstory, mixpanel, appsflyer)

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Ankita28g avatar Mar 04 '23 11:03 Ankita28g

Hi Ankita, I would like to try on this issue and contribute. Can you please assign me to this issue?

bhavya-error404 avatar Mar 25 '23 14:03 bhavya-error404

HI @bhavya-error404, Assigned to you! Happy hackfesting 🎉

Ankita28g avatar Mar 25 '23 16:03 Ankita28g

Hi @Ankita28g , I need to add regex for facebook, intercom etc cookie types. For example a regex that would be able to detect a facebook cookie, right?

bhavya-error404 avatar Mar 28 '23 19:03 bhavya-error404

Hi @bhavya-error404 - yes. In this case, you might want to add the regexes based on keys rather than values. They can cookie names for products or infrastructures -

For example,

  • _ga _gid is for Google Analytics
  • intercom.* is for Intercom

examples for infra based are -

  • .*srf.* is for CSRF token
  • JSESSIONID is for Jetty session
  • AWS.* for AWS Loadbalancer cookies

ankush-jain-akto avatar Mar 30 '23 10:03 ankush-jain-akto

Hi @bhavya-error404 thanks for your submission in Hackfest. 🔥 We are reviewing your work. Do these two below:

Join this group on discord for discussions around prizes? 🚀 🏆 Please fill this form your PR to be considered for prizes!

Ankita28g avatar Apr 11 '23 09:04 Ankita28g

hi @bhavya-error404 did you submit a PR here?

Ankita28g avatar May 20 '23 12:05 Ankita28g

yes ankita

bhavya-error404 avatar May 27 '23 12:05 bhavya-error404

here is the link https://github.com/akto-api-security/akto/pull/251

bhavya-error404 avatar May 27 '23 12:05 bhavya-error404

@ankush-jain-akto , @Ankita28g I can pick this up. Can you please assign this to me.

harshalkh avatar Oct 17 '23 03:10 harshalkh

@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?

Facebook Cookies:

c_user.*
datr
csrf
_fbp, _fbc

Ref: https://www.facebook.com/privacy/policies/cookies/?annotations[0]=explanation%2F1_common_cookies_and_uses

intercom- Cookies: intercom.* Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies

google ads- Cookies:

_ga
_gid

Ref-

hotjar- Cookies:

csrf.*
optanon.*
_dc_gtm_UA_.*
.*consent
cf.*
__cf.*
user.*
ts.*
nsid

Ref-https://help.hotjar.com/hc/en-us/articles/115011789248-Cookies-on-hotjar-com#cookies_set_by_hotjar_website

fullstory- Cookies:

fs_.*
_fs.*

Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies

mixpanel- Cookies:

.*mixpanel-.*
mp.*

Ref: https://cookiedatabase.org/service/mixpanel/

appsflyer- Cookies:

_hj.*
_ym.*

Ref- https://www.appsflyer.com/legal/cookie-list/

harshalkh avatar Oct 18 '23 02:10 harshalkh

@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?

Facebook Cookies:

c_user.*
datr
csrf
_fbp, _fbc

Ref: https://www.facebook.com/privacy/policies/cookies/?annotations[0]=explanation%2F1_common_cookies_and_uses

intercom- Cookies: intercom.* Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies

google ads- Cookies:

_ga
_gid

Ref-

hotjar- Cookies:

csrf.*
optanon.*
_dc_gtm_UA_.*
.*consent
cf.*
__cf.*
user.*
ts.*
nsid

Ref-https://help.hotjar.com/hc/en-us/articles/115011789248-Cookies-on-hotjar-com#cookies_set_by_hotjar_website

fullstory- Cookies:

fs_.*
_fs.*

Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies

mixpanel- Cookies:

.*mixpanel-.*
mp.*

Ref: https://cookiedatabase.org/service/mixpanel/

appsflyer- Cookies:

_hj.*
_ym.*

Ref- https://www.appsflyer.com/legal/cookie-list/

@Ankita28g / @ankush-jain-akto - is it good for me to proceed? If yes could you assign this to me?

harshalkh avatar Oct 20 '23 13:10 harshalkh

Hi @harshalkh

Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.

avneesh-akto avatar Oct 22 '23 13:10 avneesh-akto

Hi @harshalkh

Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.

@avneesh-akto - I have made the changes and tested by modifying json file link inside test case. Please review - https://github.com/akto-api-security/akto/pull/682

harshalkh avatar Oct 23 '23 10:10 harshalkh