⚡️Add sensitive data Cookie types

[Ankita28g]

💭 Introduction

Akto allows users to find sensitive params in request and response of APIs. These sensitive params include PII data such as SSN, Credit card number, phone number etc. You can check how it works in the docs.

Your task is to add cookie types as sensitive params.

👀 Impact

Your task will give users the ability to detect cookie types sensitive data types.

🎯 Requirements

• Understanding of regex
• Understanding of unit test

✅ Task summary:

• [ ] Ask to be assigned to the issue.
• [ ] Wait to be assigned. We will try to assign in less than 2 hours.
• [ ] Make regular expressions for below cookie types. Feel free to add your own too.
• [ ] Please provide the reference URL that mentions the nature of the cookie.
• [ ] Add an entry in fintech.json file
• [ ] Add a test case entry in TestFintechTypes.java
• [ ] Submit a pull request here

facebook, intercom, google ads, hotjar, fullstory, mixpanel, appsflyer)

🙋🏼‍♂️ Questions:

If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

[bhavya-error404]

Hi Ankita, I would like to try on this issue and contribute. Can you please assign me to this issue?

[Ankita28g]

HI @bhavya-error404, Assigned to you! Happy hackfesting 🎉

[bhavya-error404]

Hi @Ankita28g , I need to add regex for facebook, intercom etc cookie types. For example a regex that would be able to detect a facebook cookie, right?

[ankush-jain-akto]

Hi @bhavya-error404 - yes. In this case, you might want to add the regexes based on keys rather than values. They can cookie names for products or infrastructures -

For example,

• _ga _gid is for Google Analytics
• intercom.* is for Intercom

examples for infra based are -

• .*srf.* is for CSRF token
• JSESSIONID is for Jetty session
• AWS.* for AWS Loadbalancer cookies

[Ankita28g]

Hi @bhavya-error404 thanks for your submission in Hackfest. 🔥 We are reviewing your work. Do these two below:

Join this group on discord for discussions around prizes? 🚀 🏆 Please fill this form your PR to be considered for prizes!

[Ankita28g]

hi @bhavya-error404 did you submit a PR here?

[bhavya-error404]

yes ankita

[bhavya-error404]

here is the link https://github.com/akto-api-security/akto/pull/251

[harshalkh]

@ankush-jain-akto , @Ankita28g I can pick this up. Can you please assign this to me.

[harshalkh]

@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?

Facebook Cookies:

c_user.*
datr
csrf
_fbp, _fbc

Ref: https://www.facebook.com/privacy/policies/cookies/?annotations[0]=explanation%2F1_common_cookies_and_uses

intercom- Cookies: intercom.* Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies

google ads- Cookies:

_ga
_gid

Ref-

hotjar- Cookies:

csrf.*
optanon.*
_dc_gtm_UA_.*
.*consent
cf.*
__cf.*
user.*
ts.*
nsid

Ref-https://help.hotjar.com/hc/en-us/articles/115011789248-Cookies-on-hotjar-com#cookies_set_by_hotjar_website

fullstory- Cookies:

fs_.*
_fs.*

Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies

mixpanel- Cookies:

.*mixpanel-.*
mp.*

Ref: https://cookiedatabase.org/service/mixpanel/

appsflyer- Cookies:

_hj.*
_ym.*

Ref- https://www.appsflyer.com/legal/cookie-list/

[harshalkh]

@Ankita28g @ankush-jain-akto - I have analysed list of cookies and below are details - Is it good to proceed? Also do I need to have separate entry in fintech.json for each product/infrastructure?

Facebook Cookies:

c_user.*
datr
csrf
_fbp, _fbc

Ref: https://www.facebook.com/privacy/policies/cookies/?annotations[0]=explanation%2F1_common_cookies_and_uses

intercom- Cookies: intercom.* Ref- https://www.intercom.com/help/en/articles/2361922-intercom-messenger-cookies

google ads- Cookies:

_ga
_gid

Ref-

hotjar- Cookies:

csrf.*
optanon.*
_dc_gtm_UA_.*
.*consent
cf.*
__cf.*
user.*
ts.*
nsid

Ref-https://help.hotjar.com/hc/en-us/articles/115011789248-Cookies-on-hotjar-com#cookies_set_by_hotjar_website

fullstory- Cookies:

fs_.*
_fs.*

Ref: https://help.fullstory.com/hc/en-us/articles/360020829513-Why-FullStory-uses-First-Party-Cookies

mixpanel- Cookies:

.*mixpanel-.*
mp.*

Ref: https://cookiedatabase.org/service/mixpanel/

appsflyer- Cookies:

_hj.*
_ym.*

Ref- https://www.appsflyer.com/legal/cookie-list/

@Ankita28g / @ankush-jain-akto - is it good for me to proceed? If yes could you assign this to me?

[avneesh-akto]

Hi @harshalkh

Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.

[harshalkh]

Hi @harshalkh

Your analysis is correct, but we should be cautious about over-tagging, especially with common cookies like csrf, as it could lead to false positives. To minimize this, please refine the list, focusing on unique cookies specific to Facebook, like _fbp and _fbc. I've assigned the issue to you in the meantime.

@avneesh-akto - I have made the changes and tested by modifying json file link inside test case. Please review - https://github.com/akto-api-security/akto/pull/682