Usage of default session cookie configuration

• Rule ID: javascript_express_default_session_config
• Languages: javascript
• Source: default_session_config.yml

Description

Using default session cookie configurations can expose your application to security vulnerabilities. This vulnerability arises when session cookie are set with their default values, making them predictable and easier to exploit.

Remediations

• Do not rely on the default session cookie names and values provided by your framework. These defaults can be easily guessed by attackers, increasing the risk of session hijacking.
• Do use generic, non-descriptive names for session cookies. This makes it harder for attackers to identify and exploit the session management mechanism of your application.

References

• Express Security Best Practices

Associated CWE

• CWE-693: Protection Mechanism Failure

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_express_default_session_config

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_express_default_session_config