Cookie checks
woodruffw opened this issue · 4 comments
If the server sends us one or more cookies:
- Each cookie should have the
secureflag, to prevent transmission over HTTP. If any cookies are missing thesecureflag, it's aFAIL.- Rationale: There's absolutely no reason to be sending cookies over plain old HTTP in 2018, so there's absolutely no reason to not pass the
secureflag.
- Rationale: There's absolutely no reason to be sending cookies over plain old HTTP in 2018, so there's absolutely no reason to not pass the
- Each cookie should have the
httponlyflag, to prevent client-side access. Each cookie that's missing anhttponlyshould receive its ownMEH.- Rationale: There are some legitimate use cases for client-side cookie access, but not many.
Hi, I would like to work on this issue. I'm relatively new to bash scripting though, but I would like to give it a try. I was thinking on using the --cookie-jar option of curl to get the cookies. I have made a test with the github.com site. Running curl -s --cookie-jar - https://github.com/ -o /dev/null I get:
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
github.com FALSE / FALSE 1539377143 has_recent_activity 1
.github.com TRUE / FALSE 1602531943 _octo GH1.1.1201223134.1539373543
#HttpOnly_.github.com TRUE / TRUE 2170525543 logged_in no
#HttpOnly_github.com FALSE / TRUE 0 _gh_sess ZlVVb2VpbklJSEUrMUE3U0M1aHYrY1J5bEZqRnBpWnhrL2dqd21aNkRJTmo3VGZnWEpIQjVXM09oNlVFQ3g3ZG5ud25pM0pZNUlES2ppSXVhTzB0cUJadWZpeDh2NHZWaTd6NDdIa1hFaUR0RWRzTWZIcytta3pyMVAvaStHcU9LZk90b3BZZlN3OHpJZmljeUZhVGgxZDNlOHRxa0dwSnhJd1Z1WlFucDM5WkduN2FnUW80WGQ5TnAzVkNkT1VqYW5iVnNaS2VJSDdINmg1RlZSNTJ2Zz09LS1iSEEyaUsrNVl4Y0tDU29mcTY5eU5RPT0%3D--6fd6595d5749a5b1edef9b0ace9e7d68172ec8a8
After some googling I found out that the 4th column should be the secure flag. Regarding the httponly flag I couldn't find any official information, nonetheless the prefix #HttpOnly_ looks like a good candidate. Running curl -I -s https://github.com/ seems to confirm it.
Does that sound ok? Thanks
Thanks for offering to work on this!
My suggestion would be to parse the Set-Cookie HTTP headers instead, since that'll probably be easier (and less likely to change between curl versions).
For example, here are the headers I get (minimized slightly):
Set-Cookie: has_recent_activity=1; path=/; expires=Fri, 12 Oct 2018 21:09:58 -0000
Set-Cookie: _octo=foobar; domain=.github.com; path=/; expires=Mon, 12 Oct 2020 20:09:58 -0000
Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 12 Oct 2038 20:09:59 -0000; secure; HttpOnly
Set-Cookie: _gh_sess=foobar; path=/; secure; HttpOnly
You can use the get_header function to retrieve Set-Cookie (you may need to modify it/write a slightly modified version to get all of the Set-Cookie fields), and then use the get_field function to extract a particular field. Check out the stage 2 checks for examples of this.
nice! thanks for the suggestion, better to reuse existing code as well. I'll check stage 2 and start hacking :)