Skip to content

Commit

Permalink
feat: update rule remediation messages (#379)
Browse files Browse the repository at this point in the history
  • Loading branch information
@elsapet
elsapet authored Apr 30, 2024
1 parent 9f2de22 commit 9e2ee69
Show file tree
Hide file tree
Showing 382 changed files with 3,885 additions and 5,195 deletions.
59 changes: 18 additions & 41 deletions rules/go/gorilla/cookie_missing_http_only.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,52 +37,29 @@ languages:
- go
metadata:
description: Missing HTTP Only option in cookie configuration
remediation_message: |
remediation_message: |-
## Description
When set to "true", the "HttpOnly" attribute protects the cookie value from being accessed by client side JavaScript such as reading the "document.cookie" values.
By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.
It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
The absence of the "HttpOnly" attribute in cookie settings leaves the cookie vulnerable to being accessed by client-side JavaScript, such as through "document.cookie". This vulnerability is particularly concerning for websites susceptible to Cross-Site Scripting (XSS) attacks, as it allows malicious scripts to read the cookie value. Properly configuring the "HttpOnly" attribute is a critical step in securing cookies, especially for session management.
## Remediations
To ensure that cookies, particularly session cookies, are secure:
✅ Configure HttpOnly
Set the `HttpOnly` attribute to `true` within the Gorilla Sessions cookie store. This prevents client-side scripts from accessing the cookie data, reducing XSS attack risks.
```go
import (
"github.com/gorilla/sessions"
"net/http"
)
var store = sessions.NewCookieStore([]byte("your-secret-key"))
func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a session. We're ignoring the error resulted from decoding an
// existing session: Get() always returns a session, even if empty.
session, _ := store.Get(r, "session-name")
// Set some session values.
session.Values["foo"] = "bar"
// Set the session to be HttpOnly.
session.Options.HttpOnly = true
// Save changes.
session.Save(r, w)
}
```
✅ Leverage Gorilla SecureCookie
Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.
✅ Implement Strong Session Management
Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.
## Resources
- **Do** set the `HttpOnly` attribute to `true` for cookies, especially session cookies, to prevent them from being accessed by client-side scripts. This is a key measure in mitigating the risk of XSS attacks.
```go
func MyHandler(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session-name")
...
session.Options.HttpOnly = true
session.Save(r, w)
}
```
- **Do** use Gorilla SecureCookie for encoding and decoding session data securely. This method provides an additional layer of security for session information.
```go
var s = sessions.NewCookieStore([]byte("your-secret-key"))
```
- **Do** implement robust session management with Gorilla Sessions. Proper session management helps prevent attacks related to session fixation and enhances overall session security.
## References
- [Gorilla Sessions Documentation](http://www.gorillatoolkit.org/pkg/sessions)
- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
Expand Down
36 changes: 17 additions & 19 deletions rules/go/gorilla/insecure_cookie.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,31 +37,29 @@ languages:
- go
metadata:
description: "Missing Secure option in cookie configuration"
remediation_message: |
remediation_message: |-
## Description
When set to "true", the "Secure" attribute ensures that a client will only send the cookie to the server when HTTPS is being used.
This prevents the cookie from being observed by unauthorized third parties.
It's essential to configure cookie security options properly, especially when using session management libraries like Gorilla Sessions in Go.
The Secure attribute in cookie configuration is crucial for protecting cookies from unauthorized third-party access. When set to "true," it ensures cookies are only sent over HTTPS, safeguarding the data during transmission.
## Remediations
To ensure that cookies, particularly session cookies, are secure:
✅ Set Secure Flag
If your site is served over HTTPS, also set the `Secure` flag on the cookie to ensure it's transmitted over secure channels only.
✅ Leverage Gorilla SecureCookie
Utilize the encoding/decoding capabilities of Gorilla's SecureCookie to securely store session data.
✅ Implement Strong Session Management
Use Gorilla's session management features to create, renew, and expire sessions in a secure manner, preventing session fixation and other session-related attacks.
- **Do** set the Secure flag for cookies if your site uses HTTPS. This action restricts cookies to secure channels, enhancing their security.
```go
http.SetCookie(w, &http.Cookie{
Name: "session_token",
Value: sessionToken,
Secure: true,
HttpOnly: true,
})
```
- **Do** use Gorilla SecureCookie for encoding and decoding session data securely. This method provides an additional layer of security for session information.
```go
var s = sessions.NewCookieStore([]byte("your-secret-key"))
```
- **Do** implement robust session management with Gorilla Sessions. Proper session management helps prevent attacks related to session fixation and enhances overall session security.
## Resources
## References
- [Gorilla Sessions Documentation](http://www.gorillatoolkit.org/pkg/sessions)
- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
Expand Down
45 changes: 10 additions & 35 deletions rules/go/gosec/blocklist/cgi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,48 +9,23 @@ languages:
- go
metadata:
description: Usage of vulnerable CGI package
remediation_message: |
remediation_message: |-
## Description
Using the `net/http/cgi` package in Go, especially with versions prior to 1.6.3, exposes the application to the Httpoxy attack, a vulnerability identified as CVE-2016-5386. This vulnerability arises from the way CGI and FastCGI protocols handle certain environment variables, which can be manipulated to intercept and redirect outgoing HTTP requests made by the web application.
The `net/http/cgi` package in Go versions before 1.6.3 is vulnerable to the Httpoxy attack. This vulnerability, identified as CVE-2016-5386, occurs because of how CGI and FastCGI protocols manage certain environment variables. Attackers can exploit this to intercept and redirect outgoing HTTP requests from the web application.
## Remediations
✅ Update Go Version
- **Do** update your Go version to 1.6.3 or later to mitigate this vulnerability.
- **Do** opt for alternative packages, like the standard `net/http` library, for handling HTTP requests that do not use the CGI protocol.
- **Do not** use the `net/http/cgi` package if your Go version is older than 1.6.3, as it is vulnerable to the Httpoxy attack.
```go
import "net/http/cgi"
```
- **Do** ensure that environment variables like `HTTP_PROXY` are not unintentionally exposed, as this can be leveraged for Httpoxy attacks.
Ensure you are using a version of Go that is 1.6.3 or later, where this vulnerability is patched.
## References
```sh
# Check Go version and update if necessary
go version
# Follow Go's update instructions if your version is < 1.6.3
```
✅ Use Alternative Packages
Refrain from using CGI where possible. Utilize alternative packages and methods to handle HTTP requests which do not rely on the CGI protocol.
```go
// Use the standard net/http package instead
import "net/http"
```
❌ Don't Use `net/http/cgi` in Older Versions
Do not use the `net/http/cgi` package if you are operating on Go versions older than 1.6.3 as they are susceptible to the Httpoxy vulnerability.
```go
// This import is vulnerable to Httpoxy in Go < 1.6.3
import "net/http/cgi"
```
❌ Avoid Exposing Environment Variables
Ensure that the environment variables such as `HTTP_PROXY` are not being exposed unintentionally, as this can be leveraged for Httpoxy attacks.
## Resources
- [CVE-2016-5386 Detail](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5386)
- [Httpoxy.org](https://httpoxy.org/)
cwe_id:
Expand Down
59 changes: 6 additions & 53 deletions rules/go/gosec/blocklist/des.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,64 +9,17 @@ languages:
- go
metadata:
description: "Import of weak encryption algorithm (DES)"
remediation_message: |
remediation_message: |-
## Description
The Data Encryption Standard (DES) is an outdated symmetric-key algorithm for encryption. Officially deemed insecure and no longer recommended for use, DES was withdrawn by the National Institute of Standards and Technology (NIST) as a standard in 2005, primarily because of its 56-bit key size, which is vulnerable to brute-force attacks.
The Data Encryption Standard (DES) is an outdated encryption algorithm that is officially considered insecure and is no longer recommended for use. DES was withdrawn as a standard by the National Institute of Standards and Technology (NIST) in 2005 because of its 56-bit key size which makes it susceptible to brute-force attacks.
## Remediation
## Remediations
To ensure the confidentiality and integrity of sensitive data, it is crucial to utilize a modern and secure encryption algorithm. The use of Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) is recommended for its strong security properties and widespread acceptance as a replacement for DES.
- **Do not** use DES for encrypting data. Its known vulnerabilities and insecurities make it an unsuitable choice for protecting sensitive information.
- **Do** implement the Advanced Encryption Standard (AES) with a key size of 256 bits (AES-256) for encryption. AES-256 is recognized for its strong security properties and is widely accepted as a secure replacement for DES.
✅ Implement AES-256 for Strong Encryption
```go
// Use AES-256 for secure encryption by initializing a 32-byte key for AES-256
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
log.Fatal(err)
}
// Create a new cipher block from the key
blockCipher, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}
// Use Galois/Counter Mode (GCM) for both encryption and decryption
aead, err := cipher.NewGCM(blockCipher)
if err != nil {
log.Fatal(err)
}
var encrypted = []byte{}
var nonce = []byte{}
// Encrypt a message with AES-256 using GCM
{
msg := []byte("Some secret message")
// Ensure nonces are unique for each encryption to maintain security
nonce = make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Fatal(err)
}
encrypted = aead.Seal(nil, nonce, msg, nil)
}
// Decrypt the message securely
{
msg, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Decrypted: %s\n", msg)
}
```
❌ Do Not Use Deprecated Algorithms
Avoid using deprecated cryptographic algorithms such as DES, as they do not provide adequate security against modern threats and attacks.
## Resources
## References
- [NIST Recommendations](https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final)
- [AES-256 Encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
Expand Down
31 changes: 7 additions & 24 deletions rules/go/gosec/blocklist/md5.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,35 +9,18 @@ languages:
- go
metadata:
description: "Import of weak hashing library (MD5)"
remediation_message: |
remediation_message: |-
## Description
MD5 is a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. It's commonly used to check the integrity of files. However, MD5 is not collision-resistant; this means that different inputs may produce the same output hash. MD5's vulnerabilities and the feasibility of collision attacks have rendered it obsolete for security-related purposes, particularly digital signatures, SSL certificates, and cryptographic message authentication.
Using a weak hashing library like MD5 increases the risk of data breaches. MD5 is vulnerable to collision attacks, where two different inputs produce the same output, compromising data integrity and security.
## Remediation
## Remediations
Given the vulnerabilities of MD5, it is highly recommended to switch to more secure hashing algorithms. For hashing purposes that do not involve passwords, such as verifying file integrity or generating unique identifiers, SHA-3 or BLAKE2 can be used due to their stronger cryptographic properties.
- **Do not** use MD5 for hashing. It is considered a weak hash algorithm and can compromise data security.
- **Do** use stronger hashing algorithms such as SHA-3 or BLAKE2 for general hashing purposes, such as file integrity checks or generating unique identifiers.
- **Do** use recommended algorithms such as bcrypt or Argon2id for password hashing, as these are designed to be slower and therefore more effective against brute-force attacks.
✅ Use SHA-3 or BLAKE2 for General Hashing Needs
```go
// BLAKE2 is a cryptographic hash function faster than MD5, SHA-1, and SHA-2, and as secure as the latest standard SHA-3
fileContents := []byte("some file contents to create hash for")
blake2bHasher, err := blake2b.New512(nil)
if err != nil {
log.Fatal(err)
}
hashedValue := blake2bHasher.Sum(fileContents)
fmt.Printf("%s\n", hex.EncodeToString(hashedValue))
```
For password hashing, where the hash functions need to be slow to combat brute-force attacks, bcrypt or Argon2id should be used. These algorithms are designed to be computationally intensive to hash and verify, which helps protect against password cracking attempts.
✅ Adopt bcrypt or Argon2id for Password Hashing
The bcrypt algorithm is a good choice for password hashing as it allows you to adjust the cost (computational complexity) and is widely supported. Argon2id is the winner of the Password Hashing Competition and offers a good balance between resistance to GPU cracking attacks and usability.
## Resources
## References
- [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
Expand Down
55 changes: 6 additions & 49 deletions rules/go/gosec/blocklist/rc4.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,60 +9,17 @@ languages:
- go
metadata:
description: "Import of weak encryption algorithm (RCA)"
remediation_message: |
remediation_message: |-
## Description
RC4 is a stream cipher that was once popular for its simplicity and speed in operation. However, extensive research over the years has revealed multiple vulnerabilities, rendering RC4 insecure in most contexts. Its weaknesses in key scheduling and the generation of non-random bytes have led to successful cryptanalysis and practical attacks, making it unsuitable for securing data.
The RC4 encryption algorithm is outdated and vulnerable. It has been found to have significant security flaws, including predictable key generation and weak randomization, which have been exploited in various attacks. These vulnerabilities make RC4 unsuitable for secure data encryption.
## Remediation
## Remediations
With the known vulnerabilities of RC4, it's essential to move to a more secure cipher. AES (Advanced Encryption Standard) is the recommended replacement because it has undergone extensive scrutiny and is considered secure against cryptanalysis.
- **Do not** use RC4 for encrypting data. Its vulnerabilities to cryptanalysis and practical attacks compromise data security.
- **Do** switch to AES-256 for encryption. AES-256 is a secure and widely accepted standard that provides strong protection against attacks. Using AES-256 ensures compliance with current security standards and provides a robust defense against known cryptographic attacks.
✅ Switch to AES-256 for Robust Encryption
```go
// 32 byte keys will set up AES-256, which is a secure block cipher that has become the industry standard for encryption.
key := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, key); err != nil {
log.Fatal(err)
}
blockCipher, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}
aead, err := cipher.NewGCM(blockCipher)
if err != nil {
log.Fatal(err)
}
var encrypted = []byte{}
var nonce = []byte{}
// Encryption routine
{
msg := []byte("Some secret message")
// Note that the key must be rotated after every 2^32 uses of a single nonce-value to avoid cipher text repetition.
nonce = make([]byte, 12)
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
log.Fatal(err)
}
encrypted = aead.Seal(nil, nonce, msg, nil)
}
// Decryption routine
{
msg, err := aead.Open(nil, nonce, encrypted, nil)
if err != nil {
log.Fatal(err)
}
fmt.Printf("Decrypted: %s\n", msg)
}
```
Using AES-256 ensures that your encryption mechanism meets current security standards and is robust against known attacks. AES has been widely adopted across various industries and has proven its reliability over time.
## Resources
## References
- [NIST Guidelines on Cryptography](https://csrc.nist.gov/publications/detail/sp/800-38a/final)
cwe_id:
Expand Down
Loading

0 comments on commit 9e2ee69

Please sign in to comment.