Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

Go detectors (45/45)

Useless if Body Channel Guarded With Mutex Improper Certificate Validation Unvalidated S3 Bucket Ownership Resource Leak Insecure Cookie Weak Random Number Generation Redundant Equality Check Insecure Ignore Host Key Unsafe Reflection Unchecked Batch Operation Failures Lambda Client Reuse Os Command Injection Useless if Conditional Log Injection Httptrace FileServer As Handler Pprof Endpoint Cross Site Scripting (XSS)Not Recommended API Usage Hidden Goroutine Channel Accessible By Non Endpoint Decompression Bomb Cross-Site Request Forgery (CSRF)Thread Safety Violation Insecure Connection SQL Injection Deprecated Key Generator Exported Loop Pointer Server Side Request Forgery (SSRF)Sensitive Information Leak Integer Overflow Missing Pagination Insecure Cryptography Protection Mechanism Failure Nil Pointer Dereference Temporary Files XML External Entity Insecure File Permissions Authentication Bypass By Alternate Name Code Injection Improper authentication Use Filepath Join Path Traversal Write Pprof Profile Output Hardcoded true or false

Insecure Cookie Low

Cookies should always be created with the HttpOnly and Secure flags to prevent interception and theft. The HttpOnly flag disables client-side JavaScript access to mitigate XSS threats. The Secure flag restricts transmission to HTTPS connections to prevent MITM eavesdropping. Failing to set these flags when creating cookies with http.Cookie or gorilla/sessions leaves them vulnerable regardless of current contents. All cookies should be HttpOnly to prevent JavaScript access. Sensitive session and auth cookies should also be Secure to block MITM snooping. Enabling cookie security flags is essential to limit exposure and misuse.

Detector ID

go/insecure-cookie@v1.0

Category

Common Weakness Enumeration (CWE)

CWE-614 CWE-1004

Tags

# cookies # owasp-top10