Open Ankita28g opened 1 year ago
Hi Ankita, I would like to try on this issue and contribute. Can you please assign me to this issue?
HI @bhavya-error404, Assigned to you! Happy hackfesting 🎉
Hi @Ankita28g , I need to add regex for facebook, intercom etc cookie types. For example a regex that would be able to detect a facebook cookie, right?
Hi @bhavya-error404 - yes. In this case, you might want to add the regexes based on keys rather than values. They can cookie names for products or infrastructures -
For example,
_ga
_gid
is for Google Analyticsintercom.*
is for Intercomexamples for infra based are -
.*srf.*
is for CSRF tokenJSESSIONID
is for Jetty sessionAWS.*
for AWS Loadbalancer cookieshi @bhavya-error404 did you submit a PR here?
yes ankita
here is the link https://github.com/akto-api-security/akto/pull/251
@ankush-jain-akto , @Ankita28g I can pick this up. Can you please assign this to me.
@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?
Facebook Cookies:
c_user.*
datr
csrf
_fbp, _fbc
intercom-
Cookies: intercom.*
Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies
google ads- Cookies:
_ga
_gid
Ref-
hotjar- Cookies:
csrf.*
optanon.*
_dc_gtm_UA_.*
.*consent
cf.*
__cf.*
user.*
ts.*
nsid
fullstory- Cookies:
fs_.*
_fs.*
Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies
mixpanel- Cookies:
.*mixpanel-.*
mp.*
Ref: https://cookiedatabase.org/service/mixpanel/
appsflyer- Cookies:
_hj.*
_ym.*
@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?
Facebook Cookies:
c_user.* datr csrf _fbp, _fbc
intercom- Cookies:
intercom.*
Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookiesgoogle ads- Cookies:
_ga _gid
Ref-
hotjar- Cookies:
csrf.* optanon.* _dc_gtm_UA_.* .*consent cf.* __cf.* user.* ts.* nsid
fullstory- Cookies:
fs_.* _fs.*
Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies
mixpanel- Cookies:
.*mixpanel-.* mp.*
Ref: https://cookiedatabase.org/service/mixpanel/
appsflyer- Cookies:
_hj.* _ym.*
@Ankita28g / @ankush-jain-akto - is it good for me to proceed? If yes could you assign this to me?
Hi @harshalkh
Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.
Hi @harshalkh
Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.
@avneesh-akto - I have made the changes and tested by modifying json file link inside test case. Please review - https://github.com/akto-api-security/akto/pull/682
💭 Introduction
Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.
Your task is to add
cookie types
as sensitive params.👀 Impact
Your task will give users the ability to detect
cookie types
sensitive data types.🎯 Requirements
✅ Task summary:
facebook, intercom, google ads, hotjar, fullstory, mixpanel, appsflyer)
🙋🏼♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.