From ee17307a712f2e0d53c94428181856057ab2ce70 Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Fri, 11 Aug 2023 11:54:32 +0100
Subject: [PATCH 1/3] Create cookie cached on disk

---
 other/tokens/cookie-cached-on-disk.bcheck | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 other/tokens/cookie-cached-on-disk.bcheck

diff --git a/other/tokens/cookie-cached-on-disk.bcheck b/other/tokens/cookie-cached-on-disk.bcheck
new file mode 100644
index 0000000..183357f
--- /dev/null
+++ b/other/tokens/cookie-cached-on-disk.bcheck
@@ -0,0 +1,14 @@
+metadata:
+    language: v1-beta
+    name: "Cookie cached on disk"
+    description: "Checks if cookies are cached on disk"
+    tags: "passive"
+
+given response then
+    if {latest.response} matches "Set-Cookie:.+(expires=[\w\d\s:,]+;|max-age=\d+;).+" then
+        report issue:
+            severity: info
+            confidence: certain
+            detail: "Cookies are set that have an expires or max-age attribute, these are considered persistent cookies and will be stored on disk by the web browser until the expiration time.  Check to ensure these are not used to maintain the login session as if an authenticated user does not click the logout button and instead cloes the browser, the session will resume when the browser is re-opened. If an attacker has access to the filesystem location where the web browser cache is stored the session cookie could be extracted and used to authenticate the attacker to the web application. If it is a shared machine another user could authenticate themselves just by re-opening the browser."
+            remediation: "Session management tokens should make use of non-persistent cookies. This forces the session to disappear from the client if the current web browser is closed. Therefore the expires or max-age attribute should be removed from the session cookie. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes"
+    end if
\ No newline at end of file

From ca9dd47339135c87dfb74543317ab0aaab9d1aed Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Fri, 11 Aug 2023 12:42:40 +0100
Subject: [PATCH 2/3] Corrected spelling mistake

---
 other/tokens/cookie-cached-on-disk.bcheck | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/other/tokens/cookie-cached-on-disk.bcheck b/other/tokens/cookie-cached-on-disk.bcheck
index 183357f..f6e5388 100644
--- a/other/tokens/cookie-cached-on-disk.bcheck
+++ b/other/tokens/cookie-cached-on-disk.bcheck
@@ -9,6 +9,6 @@ given response then
         report issue:
             severity: info
             confidence: certain
-            detail: "Cookies are set that have an expires or max-age attribute, these are considered persistent cookies and will be stored on disk by the web browser until the expiration time.  Check to ensure these are not used to maintain the login session as if an authenticated user does not click the logout button and instead cloes the browser, the session will resume when the browser is re-opened. If an attacker has access to the filesystem location where the web browser cache is stored the session cookie could be extracted and used to authenticate the attacker to the web application. If it is a shared machine another user could authenticate themselves just by re-opening the browser."
+            detail: "Cookies are set that have an expires or max-age attribute, these are considered persistent cookies and will be stored on disk by the web browser until the expiration time.  Check to ensure these are not used to maintain the login session as if an authenticated user does not click the logout button and instead closes the browser, the session will resume when the browser is re-opened. If an attacker has access to the filesystem location where the web browser cache is stored the session cookie could be extracted and used to authenticate the attacker to the web application. If it is a shared machine another user could authenticate themselves just by re-opening the browser."
             remediation: "Session management tokens should make use of non-persistent cookies. This forces the session to disappear from the client if the current web browser is closed. Therefore the expires or max-age attribute should be removed from the session cookie. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#expire-and-max-age-attributes"
     end if
\ No newline at end of file

From 4e00778cc3ac39a2b0309de702af8f689fffa151 Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Fri, 11 Aug 2023 14:05:31 +0100
Subject: [PATCH 3/3] Made suggested changes

---
 other/tokens/cookie-cached-on-disk.bcheck | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/other/tokens/cookie-cached-on-disk.bcheck b/other/tokens/cookie-cached-on-disk.bcheck
index f6e5388..f9ea89d 100644
--- a/other/tokens/cookie-cached-on-disk.bcheck
+++ b/other/tokens/cookie-cached-on-disk.bcheck
@@ -5,7 +5,7 @@ metadata:
     tags: "passive"
 
 given response then
-    if {latest.response} matches "Set-Cookie:.+(expires=[\w\d\s:,]+;|max-age=\d+;).+" then
+    if {latest.response} matches "(?i)Set-Cookie:.+(expires=[\w\d\s:,]+;|max-age=\d+;).*" then
         report issue:
             severity: info
             confidence: certain