From 84d295753cad004a06bdf039e2008b0b54604a30 Mon Sep 17 00:00:00 2001 From: "pixeebot-test[bot]" <123999551+pixeebot-test[bot]@users.noreply.github.com> Date: Mon, 29 Jul 2024 21:41:45 +0000 Subject: [PATCH] (CodeQL) Fixed finding: "Add secure flag to HTTP cookies" --- .../java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 2 ++ .../webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 1 + 2 files changed, 3 insertions(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java index 632449822b..ee88b61dba 100644 --- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java +++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java @@ -132,11 +132,13 @@ public void login(@RequestParam("user") String user, HttpServletResponse respons .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) .compact(); Cookie cookie = new Cookie("access_token", token); + cookie.setSecure(true); response.addCookie(cookie); response.setStatus(HttpStatus.OK.value()); response.setContentType(MediaType.APPLICATION_JSON_VALUE); } else { Cookie cookie = new Cookie("access_token", ""); + cookie.setSecure(true); response.addCookie(cookie); response.setStatus(HttpStatus.UNAUTHORIZED.value()); response.setContentType(MediaType.APPLICATION_JSON_VALUE); diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java index 2efc739f64..7c361ca686 100644 --- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java @@ -75,6 +75,7 @@ public AttackResult login( public void cleanup(HttpServletResponse response) { Cookie cookie = new Cookie(COOKIE_NAME, ""); cookie.setMaxAge(0); + cookie.setSecure(true); response.addCookie(cookie); }