⇤ Web Application Security Findings
https://api.bitsighttech.com/ratings/v1/companies/company_guid/findings?risk_vector=web_appsec
Get sensitive data exposure evidence, including:
- Cookie SameSite Attribute
- Cookie SameSite Blocked
- HSTS Preload Directive Present
- Mixed Content
- Secure Cookie Set on Insecure Channel
- Session Token in URL
- Unsafe Referrer Policy
For details specific to Web Application Security, use the ?risk_vector=web_appsec
parameter. Other query parameters are listed in GET: Finding Details.
Cookie SameSite Attribute
[assessmentName
= cookie_same_site_attribute
]
Example Response
{ "name": "TS0...b0b", "message": "Cookie does not have the SameSite attribute", "value": "017aab903c93f57f8079...2ba5a47e3e6799c7f53c", "attributes": "TS0...b0b=017aab903c93f57f8079...2ba5a47e3e6799c7f53c; Path=/; Domain=url; Secure", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
nameString |
The cookie name. |
messageString |
A summary of the issue. |
valueString |
The value contained in the cookie. |
attributesString |
Attributes associated with the cookie. |
Cookie SameSite Blocked
[assessmentName
= cookie_same_site_blocked
]
Example Response
{ "name": "ENTRY_KEY", "message": "A cookie was blocked due to SameSite policy violation for reason EXCLUDE_SAME_SITE_UNSPECIFIED_TREATED_AS_LAX", "resolution": "blocked", "attributes": "path=/; domain=url", "resourceUrl": "url", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
nameString |
The cookie name. |
messageString |
A summary of the issue. |
resolutionString |
|
attributesString |
Attributes associated with this link. |
resourceUrlString |
The resource URL that had the CSP violation. |
HSTS Preload Directive Present
[assessmentName
= hsts_preload_present
]
Example Response
{ "header": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
headerString |
The name of the HTTP header. |
valueString |
The value of the HTTP header. |
Mixed Content
[assessmentName
= mixed_content
]
Example Response
{ "type": "IMAGE", "resolution": "upgraded", "resource": "url", "details": "Mixed Content: The page at 'url' was loaded over HTTPS, but requested an insecure element 'url'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
typeString |
The resource type. |
resolutionString |
The action the browser took when loading the resource. |
resourceString |
A link to the resource as defined in the web application. |
detailsString |
The resolution reason provided by the browser. |
Secure Cookie Set on Insecure Channel
[assessmentName
= secure_cookie_on_insecure_channel
]
Example Response
{ "name": "GUEST_LANGUAGE_ID", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
nameString |
The cookie name. |
Session Token in URL
[assessmentName
= session_token_in_url
]
Example Response
{ "name": "id", "value": "0987654321", "resource": "url", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
nameString |
The attribute name. |
valueString |
The value of the session token. |
resourceString |
The session token URL. |
Unsafe Referrer Policy
[assessmentName
= unsafe_referrer_policy
]
Example Response
{ "header": "Referrer-Policy", "value": "unsafe-url", ⊕ See additional evidences }
Response Attributes
Field | Description |
---|---|
headerString |
The header name. |
valueString |
The header value. |
- December 12, 2023: Included general finding details; Added table of contents.
- August 11, 2023: Published.
Feedback
0 comments
Please sign in to leave a comment.