From 40d9f933e6467f6eed681ffcf4736be69cc2ed1f Mon Sep 17 00:00:00 2001 From: Ophir LOJKINE Date: Wed, 10 Jun 2026 16:47:53 +0200 Subject: [PATCH] Exclude attacker-planted-cookie attacks from the threat model Attacks that require injecting attacker-chosen cookies into the victim's browser (e.g. OIDC login CSRF / session fixation via a forged login-flow -state cookie) are out of scope: SQLPage assumes its origin cookie jar is writable only by the user agent. --- SECURITY.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a1e8cc60..9d44d0a2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -135,6 +135,13 @@ SQLPage vulnerabilities: needs. - A SQLPage application is publicly reachable because no authentication was configured. +- An attacker can plant or overwrite cookies for the SQLPage origin (for + example through a compromised subdomain, a sibling application on a shared + parent domain, or a man-in-the-middle on plain HTTP). Attacks that depend on + injecting attacker-chosen cookies into the victim's browser, such as OIDC + login CSRF or session fixation via a forged login-flow-state cookie, are out + of scope. SQLPage assumes its origin's cookie jar is writable only by the + user agent, not by attackers. - Trusted SQL asks SQLPage or the database to perform expensive work. These may still be serious and should be fixed in the affected application,