GET Web Application Security Evidence: Sensitive Data Exposure Ingrid https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec Get sensitive data exposure evidence, including: Cookie SameSite Attribute Cookie SameSite Blocked HSTS Preload Directive Present Mixed Content Secure Cookie Set on Insecure Channel Session Token in URL Unsafe Referrer Policy For details specific to Web Application Security, use the ?risk_vector=web_appsec parameter. Other query parameters are listed in GET: Finding Details. Cookie SameSite Attribute [assessmentName = cookie_same_site_attribute] Example Response { "name": "TS0...b0b", "message": "Cookie does not have the SameSite attribute", "value": "017aab903c93f57f8079...2ba5a47e3e6799c7f53c", "attributes": "TS0...b0b=017aab903c93f57f8079...2ba5a47e3e6799c7f53c; Path=/; Domain=url; Secure", ⊕ See additional evidences } Response Attributes Field Description name String The cookie name. message String A summary of the issue. value String The value contained in the cookie. attributes String Attributes associated with the cookie. Cookie SameSite Blocked [assessmentName = cookie_same_site_blocked] Example Response { "name": "ENTRY_KEY", "message": "A cookie was blocked due to SameSite policy violation for reason EXCLUDE_SAME_SITE_UNSPECIFIED_TREATED_AS_LAX", "resolution": "blocked", "attributes": "path=/; domain=url", "resourceUrl": "url", ⊕ See additional evidences } Response Attributes Field Description name String The cookie name. message String A summary of the issue. resolution String attributes String Attributes associated with this link. resourceUrl String The resource URL that had the CSP violation. HSTS Preload Directive Present [assessmentName = hsts_preload_present] Example Response { "header": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload", ⊕ See additional evidences } Response Attributes Field Description header String The name of the HTTP header. value String The value of the HTTP header. Mixed Content [assessmentName = mixed_content] Example Response { "type": "IMAGE", "resolution": "upgraded", "resource": "url", "details": "Mixed Content: The page at 'url' was loaded over HTTPS, but requested an insecure element 'url'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html", ⊕ See additional evidences } Response Attributes Field Description type String The resource type. resolution String The action the browser took when loading the resource. resource String A link to the resource as defined in the web application. details String The resolution reason provided by the browser. Secure Cookie Set on Insecure Channel [assessmentName = secure_cookie_on_insecure_channel] Example Response { "name": "GUEST_LANGUAGE_ID", ⊕ See additional evidences } Response Attributes Field Description name String The cookie name. Session Token in URL [assessmentName = session_token_in_url] Example Response { "name": "id", "value": "0987654321", "resource": "url", ⊕ See additional evidences } Response Attributes Field Description name String The attribute name. value String The value of the session token. resource String The session token URL. Unsafe Referrer Policy [assessmentName = unsafe_referrer_policy] Example Response { "header": "Referrer-Policy", "value": "unsafe-url", ⊕ See additional evidences } Response Attributes Field Description header String The header name. value String The header value. December 12, 2023: Included general finding details; Added table of contents. August 11, 2023: Published. Related articles GET: Web Application Security Finding Details GET Web Application Security Evidence: Security Misconfiguration GET Web Application Security Evidence: Cross-Site Scripting How is the Web Application Security Risk Vector Assessed? GET: Life Cycle Details Feedback 0 comments Please sign in to leave a comment.