Cookie Poisoning
ID |
cookie_poisoning |
Severity |
info |
Kind |
Session Management |
CWE |
565 |
Description
This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.
Rationale
Cookie poisoning vulnerabilities allow attackers to manipulate application state and session data by injecting malicious values through URL parameters or POST data that are reflected into cookies. Attackers can craft URLs that set arbitrary cookie values, potentially injecting additional name-value pairs using semicolon delimiters to override security flags or session attributes. This can lead to session fixation attacks, privilege escalation through role cookie manipulation, or bypassing security controls by poisoning cookies used for authentication or authorization decisions.