From 8b8c6892218732cfa5d908167b1641cb867cc8d3 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Fri, 17 May 2024 19:16:02 +0000 Subject: [PATCH 1/5] mobb fix commit: a76bfe4f-1324-4c5d-9596-eb5880946e58 --- .../java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java index e1ac1a0d2d..0585fb73f6 100644 --- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java +++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java @@ -128,6 +128,7 @@ public void login(@RequestParam("user") String user, HttpServletResponse respons .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD) .compact(); Cookie cookie = new Cookie("access_token", token); + cookie.setHttpOnly(true); response.addCookie(cookie); response.setStatus(HttpStatus.OK.value()); response.setContentType(MediaType.APPLICATION_JSON_VALUE); From faa8ec8bab854f070deaec0d10dd04c82ac111e1 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Fri, 17 May 2024 19:16:02 +0000 Subject: [PATCH 2/5] mobb fix commit: 5448e374-5308-4dac-9e33-b17cc565aaa3 --- .../java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java index 0585fb73f6..ed372a66d5 100644 --- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java +++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpoint.java @@ -134,6 +134,7 @@ public void login(@RequestParam("user") String user, HttpServletResponse respons response.setContentType(MediaType.APPLICATION_JSON_VALUE); } else { Cookie cookie = new Cookie("access_token", ""); + cookie.setHttpOnly(true); response.addCookie(cookie); response.setStatus(HttpStatus.UNAUTHORIZED.value()); response.setContentType(MediaType.APPLICATION_JSON_VALUE); From fbdac5e6daea4e62cb6544927cf07da8f3426156 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Fri, 17 May 2024 19:16:03 +0000 Subject: [PATCH 3/5] mobb fix commit: 6884f349-4249-4bcb-98b4-5333abefa3d5 --- .../webgoat/lessons/hijacksession/HijackSessionAssignment.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java index 8fae4e89d4..54e291a3aa 100644 --- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java @@ -84,6 +84,7 @@ public AttackResult login( private void setCookie(HttpServletResponse response, String cookieValue) { Cookie cookie = new Cookie(COOKIE_NAME, cookieValue); + cookie.setHttpOnly(true); cookie.setPath("/WebGoat"); cookie.setSecure(true); response.addCookie(cookie); From 8467e12d69a5c88c594b657365a3f4b14b2a3071 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Fri, 17 May 2024 19:16:03 +0000 Subject: [PATCH 4/5] mobb fix commit: dc3ce104-8e80-44aa-a8d1-8f123068c2c6 --- .../owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java index d8bda90079..ddf2e2caef 100644 --- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java @@ -77,6 +77,7 @@ public AttackResult login( @GetMapping(path = "/SpoofCookie/cleanup") public void cleanup(HttpServletResponse response) { Cookie cookie = new Cookie(COOKIE_NAME, ""); + cookie.setHttpOnly(true); cookie.setMaxAge(0); response.addCookie(cookie); } From 7b0faba073c3aaa26b6320cbeafba1c4893a4d06 Mon Sep 17 00:00:00 2001 From: Mobb autofixer Date: Fri, 17 May 2024 19:16:03 +0000 Subject: [PATCH 5/5] mobb fix commit: 881a1334-b3b8-47b5-96d8-80e37fa500b5 --- .../owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java index ddf2e2caef..0df1e888ac 100644 --- a/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/spoofcookie/SpoofCookieAssignment.java @@ -94,6 +94,7 @@ private AttackResult credentialsLoginFlow( if (!authPassword.isBlank() && authPassword.equals(password)) { String newCookieValue = EncDec.encode(lowerCasedUsername); Cookie newCookie = new Cookie(COOKIE_NAME, newCookieValue); + newCookie.setHttpOnly(true); newCookie.setPath("/WebGoat"); newCookie.setSecure(true); response.addCookie(newCookie);