public CheckPasvCookieLooselyScoped()
{
configpanel = new CookieCheckConfigPanel(this);
configpanel.Init();
configpanel.enablefiltercheckBox.Visible = false; //Hack requested to enable filtering always
CheckCategory = WatcherCheckCategory.Cookie;
LongName = "Cookie - Look for cookies with loosely scoped domain restrictions.";
LongDescription = "Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookieLoosely scoped cookies are common in mega-applications like google.com and live.com.";
ShortName = "Cookie's domain was loosely scoped";
ShortDescription = "The response included a Set-Cookie header that specified a loosely scoped domain:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-loosely-scoped-domain";
Recommendation = "Always scope cookies to a FQDN.";
}
public CheckPasvCookieHTTPOnly()
{
// Complies with OWASP ASVL 2 (DVR 11.1)
StandardsCompliance = WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;
configpanel = new CookieCheckConfigPanel(this);
configpanel.Init();
configpanel.enablefiltercheckBox.Visible = false; //Hack requested to enable filtering always
CheckCategory = WatcherCheckCategory.Cookie;
LongName = "Cookie - Look for instances where the HTTPOnly cookie flag is not being set.";
LongDescription = "This check looks for cookies that don't have the HTTPOnly flag set. The HttpOnly flag was invented to reduce the affect of XSS vulnerabilities, by preventing them from reading user cookies. When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server. In other words, client-side script is forbidden from accessing the cookie. This is an important security protection for session cookies and other sensitive cookies, but less important for others. Because Watcher can't distinguish between the important and unimportant cookies, you can configure an inclusive or exclusive list of cookie names to watch.";
ShortName = "Cookie's HTTPOnly flag was not set";
ShortDescription = "The response included a Set-Cookie header that did not include the HTTPOnly attribute:";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag";
Recommendation = "Always set the 'HttpOnly' flag for session cookies and other sensitive cookies that should never be read by javascript.";
}
public CheckPasvCookieSecure()
{
// Complies with OWASP ASVL 2 (DVR 11.2)
StandardsCompliance = WatcherCheckStandardsCompliance.OwaspAppSecVerificationLevel2;
configpanel = new CookieCheckConfigPanel(this);
configpanel.Init();
configpanel.enablefiltercheckBox.Visible = false; //Hack requested to enable filtering always
CheckCategory = WatcherCheckCategory.Cookie;
LongName = "Cookie - Look for cookies without the \"secure\" attribute.";
LongDescription = "This check identifes cookies set over SSL which don't set the 'secure' flag. When a cookie is set with the 'secure' flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies and other sensitive cookies that should never leak or be passed over an unencrypted channel. Because Watcher can't distinguish between the important and unimportant cookies, you can configure an inclusive or exclusive list of cookie names to watch.";
ShortName = "Cookie's secure flag was not set";
ShortDescription = "A response over TLS/SSL included a Set-Cookie header that did not include the secure attribute:\r\n\r\n";
Reference = "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag";
Recommendation = "Always set the 'secure' flag for session cookies and other sensitive cookies that should never be sent over unencrypted channels.";
}
