Cookie misconfiguration
This test verifies if the 'secure' attribute is properly set in HTTP response header 'set-cookie' field to ensure secure cookie transmission.
Security Misconfiguration (SM)
How this template works
APIs Selection
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, it filters the requests based on the response code (between 200 and 299) and the absence of the "secure" attribute in the "Set-Cookie" response header.
Execute request
The template executes a single request by modifying the URL using the value extracted from the "urlVar" variable. This allows the template to dynamically generate the request URL based on the previous response.
Validation
The template validates the response headers to ensure that the "Set-Cookie" header does not contain the "secure" attribute. It uses a regular expression to match any value that does not contain the word "secure". This validation helps identify potential cookie misconfigurations that could compromise the security and privacy of user information.
Frequently asked questions
What is the purpose of the "secure" attribute in the "set-cookie" header field
How does the absence of the "secure" flag in the "set-cookie" header impact security
What are the potential consequences of a misconfigured "set-cookie" header without the "secure" attribute
How does this test validate the presence of the "secure" attribute in the "set-cookie" header
Can the absence of the "secure" flag in the "set-cookie" header be exploited by attackers
Are there any specific standards or guidelines that recommend the use of the "secure" attribute in the "set-cookie" header
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "
Security team,
Rippling
Explore other tests
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
CGI script environment variable
