session-cookie-missing-secure
session-cookie-missing-httponly
websocket-missing-origin-check
The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per “gorilla/websocket” documentation: “A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.”
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
handler-assignment-from-multiple-sources
Variable Y’ and ‘$R’. Make sure this is intended, as this could cause logic bugs if they are treated as they are the same object.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-289: Authentication Bypass by Alternate Name
session-cookie-missing-secure
session-cookie-missing-httponly
websocket-missing-origin-check
The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per “gorilla/websocket” documentation: “A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.”
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
handler-assignment-from-multiple-sources
Variable Y’ and ‘$R’. Make sure this is intended, as this could cause logic bugs if they are treated as they are the same object.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-289: Authentication Bypass by Alternate Name