SIMS icon indicating copy to clipboard operation
SIMS copied to clipboard
verified publisher icon bcgov

Cookie with Insecure or Improper or Missing SameSite attribute

Open JasonCTang opened this issue 1 year ago • 1 comments

Describe the Bug Sensitive Cookie with Improper or Insecure or Missing SameSite Attribute. Prevent cookie information leakage by restricting cookies to first-party or same-site context, Attacks can extend to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens). The SameSite attribute controls how cookies are sent for cross-domain requests. The attribute may have three values: 'Lax', 'Strict', or 'None'. If 'None' is used, a website may create a cross-domain POST HTTP request to another website, and the browser automatically adds cookies to this request. This may lead to Cross-Site-Request-Forgery (CSRF) attacks if there are no additional protections in place (such as Anti-CSRF tokens). Modes and their uses: 'Lax' mode: the cookie will only be sent with a top-level get request. 'Strict' mode; the cookie will not be sent with any cross-site usage even if the user follows a link to another website. 'None' mode: the cookie will be sent with the cross-site requests.

Affected URLS

  • https://test-aest-sims.apps.silver.devops.gov.bc.ca:443/

Associated scan documents

Recommended Fix

[1] Review possible solutions for configuring SameSite Cookie attribute to recommended values. [2] Restrict Cookies to a first-party or same-site context. [3] Verify and set the SameSite attribute of your cookie to Strict, to ensure that the cookie will only be sent in a first-party context. [4] Or, if you want to relax the restrictions of first-party context, then verify and set the SameSite attribute of the cookie to Lax with Secure Flag enabled and transferred over HTTPS.

Additional Information

  • Associated scan reports: https://bcgov.sharepoint.com/:f:/r/teams/03177/Shared%20Documents/DEVS/Releases/WAVA%20Scan/main-3112?csf=1&web=1&e=6GBeY3

JasonCTang avatar Aug 06 '24 22:08 JasonCTang

This ticket will be fixed directly be #3193

The cookies in question are generated by the OpenShift Routes and adding the annotations to the routes below will resolve the issue. If you want to verify, you can set the disable_cookies to false with the rest and when refreshed the two cookies will now be named RouteCookie.

Annotations suggested: haproxy.router.openshift.io/balance: roundrobin haproxy.router.openshift.io/disable_cookies: 'true' haproxy.router.openshift.io/hsts_header: max-age=31536000;includeSubDomains;preload haproxy.router.openshift.io/timeout: 60s router.openshift.io/cookie_name: RouteCookie

I propose you close this ticket and we implement with the OCP routes.

sslaws avatar Aug 07 '24 16:08 sslaws