Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

alertRef 10054 seems to miss to fill evidence when SAMESITE set to None

See original GitHub issue

Describe the bug

Response sets cookies like this:

Screenshot_2022-06-23_13-56-59

I get results in JSON:

					"pluginid": "10054",
					"alertRef": "10054",
					"alert": "Cookie with SameSite Attribute None",
					"name": "Cookie with SameSite Attribute None",
					"riskcode": "1",
					"confidence": "2",
					"riskdesc": "Low (Medium)",
					"desc": "<p>A cookie has been set with its SameSite attribute set to \"none\", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p>",
					"instances":[ 
						{
							"uri": "https://app.shoobx.com/",
							"method": "GET",
							"param": "",
							"attack": "",
							"evidence": ""
						},
						{
							"uri": "https://app.shoobx.com/robots.txt",
							"method": "GET",
							"param": "",
							"attack": "",
							"evidence": ""
						}
					],
					"count": "2",
					"solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p>",
					"otherinfo": "",
					"reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p>",
					"cweid": "1275",
					"wascid": "13",
					"sourceid": "1"
				},
				{
					"pluginid": "10054",
					"alertRef": "10054",
					"alert": "Cookie without SameSite Attribute",
					"name": "Cookie without SameSite Attribute",
					"riskcode": "1",
					"confidence": "2",
					"riskdesc": "Low (Medium)",
					"desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p>",
					"instances":[ 
						{
							"uri": "https://app.shoobx.com/",
							"method": "GET",
							"param": "AWSELB",
							"attack": "",
							"evidence": "Set-Cookie: AWSELB"
						},
						{
							"uri": "https://app.shoobx.com/robots.txt",
							"method": "GET",
							"param": "AWSELB",
							"attack": "",
							"evidence": "Set-Cookie: AWSELB"
						}
					],
					"count": "2",
					"solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p>",
					"otherinfo": "",
					"reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p>",
					"cweid": "1275",
					"wascid": "13",
					"sourceid": "1"
				},

evidence gets filled when SAMESITE is unset, but not when SAMESITE in None

Steps to reproduce the behavior

see above

Expected behavior

I think evidence should contain “Set-Cookie: AWSELBCORS”

Software versions

@version”: “2.11.1”

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

  • Yes

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
agroszercommented, Jun 23, 2022

@kingthorin what do I do? pointers please

0reactions
github-actions[bot]commented, Sep 23, 2022

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

Read more comments on GitHub >

github_iconTop Results From Across the Web

SameSite cookies explained - web.dev
Servers set cookies using the Set-Cookie header. When your reader views a page that meets those requirements—they're on a secure connection and ...
Read more >
Cookie with SameSite Attribute None, evidence empty
A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result...
Read more >
php - How to fix "set SameSite cookie to none" warning?
A cookie associated with a cross-site resource at (Here is my domain) was set without the SameSite attribute. A future release of Chrome...
Read more >
SameSite cookies - HTTP - MDN Web Docs
Cookie myCookie will be soon rejected because it has the SameSite attribute set to None or an invalid value, without the secure attribute....
Read more >
Get Ready for New SameSite=None; Secure Cookie Settings
Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Jython HTTP sender scripts not printing to Script Console after first run

Next page

Reduce passive scanner logging for messages that were deleted