Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: Cookie Theft Mitigation Cheat Sheet - Factual error #1631

Open
SublimePeace opened this issue Mar 19, 2025 · 3 comments · May be fixed by #1632
Open

Update: Cookie Theft Mitigation Cheat Sheet - Factual error #1631

SublimePeace opened this issue Mar 19, 2025 · 3 comments · May be fixed by #1632
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@SublimePeace
Copy link

What is missing or needs to be updated?

The article incorrectly uses the terms "False Negative" and "False Positive" when describing the limitations of the solutions aimed at mitigating cookie theft. This is confusing and factually wrong.

Link to section: https://cheatsheetseries.owasp.org/cheatsheets/Cookie_Theft_Mitigation_Cheat_Sheet.html#cookie-theft-mitigation

Specifically, these two sentences are problematic:

In other words, it is not possible to say with certainty that it is an attack just because the IP-Geo has changed. This means that there are False Negatives (it seems to be an attack, but it is not) in this detection method.

"False Negatives" is wrong here. It should write False Positives.

At the same time, even if the IP-Geo does not change, there is also the possibility that the attacker is attacking from within the same country. This means that this detection method has a False positives (it seems not to be an attack, but it is).

"False positives" should be False Negatives.

The later sentence:

However, as mentioned earlier, monitoring sessions has the potential for false positives, so if you have to re-authenticate too often, it will be a poor experience for the user.

does use "false positive" correctly, which further adds to the potential for confusion.

Reasoning:

This correction aligns the text with the standard definitions of False Positives and False Negatives in the context of security detection:

A legitimate IP change (e.g. the user travelling) incorrectly flagged as an attack is a False Positive.

An attacker's activity not flagged correctly as an attack is a False Negative.

written by me, formatted to markdown using AI
@SublimePeace SublimePeace added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Mar 19, 2025
@szh
Copy link
Collaborator

szh commented Mar 19, 2025

Yup, good catch. Do you want to submit a PR to fix this?

@szh szh added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Mar 19, 2025
@jmanico
Copy link
Member

jmanico commented Mar 19, 2025

I agree, this is a very astute observation. We look forward to your PR. If you don't feel like issuing a PR let us know and I'll take care of it.

@aakarshgopishetty
Copy link

Hi! I'd love to work on this issue. I'll submit a PR shortly to fix the terminology. Let me know if there are any additional considerations. Thanks!

SublimePeace added a commit to SublimePeace/CheatSheetSeries that referenced this issue Mar 20, 2025
@SublimePeace
fixed false positives/negatives error in Cookie Theft Mitigation - Is…
ddac5c3 
…sue OWASP#1631

OWASP#1631
This was referenced Mar 20, 2025
Closed
Open
@szh szh linked a pull request Mar 20, 2025 that will close this issue
Fix false positive/negative error in Cookie Theft Mitigation #1632
Open
@szh szh removed the HELP_WANTED Issue for which help is wanted to do the job. label Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix false positive/negative error in Cookie Theft Mitigation SublimePeace/CheatSheetSeries
4 participants
@jmanico @szh @aakarshgopishetty @SublimePeace