Plaintext Storage In Cookie

ID

java.plaintext_storage_in_cookie

Severity

low

Resource

Information Leak

Language

Java

Tags

CWE:315, NIST.SP.800-53, OWASP:2021:A4

Description

Cleartext storage of sensitive information in a cookie occurs when sensitive data is stored in cookies without any form of encryption, potentially exposing it to unauthorized access.

This vulnerability can lead to information disclosure and can be exploited by attackers who gain access to the cookies.

Rationale

This vulnerability arises when sensitive information such as usernames, session IDs, or authentication tokens are stored directly in cookie values without being encrypted. This practice poses a security risk because cookies can be intercepted over unsecured channels, or accessed by other scripts (e.g., cross-site scripting attacks).

import javax.servlet.http.Cookie;

public class CookieExample {
    public void addCookie(javax.servlet.http.HttpServletResponse response, String username) {
        Cookie cookie = new Cookie("user", username); // Storing username directly in a cookie
        response.addCookie(cookie);
    }
}

In this example, the username is stored directly in the cookie without encryption, making it susceptible to interception and unauthorized access. It is crucial to ensure that sensitive data is protected when stored in cookies to prevent information leakage and ensure compliance with data protection regulations.

Remediation

If possible, do not store sensitive information in cookies. Having sensitive data stored in a cookie could be a sign of bad design. Instead of storing e.g. user details in a cookie, store them at the application backend and use session tokens to identify the user. Proper session handling is essential to prevent session fixation attacks.

If you really need to store sensitive information in a cookie, ensure that it is encrypted at the backend. Use safe encryption standards and cryptographic libraries to achieve this.

Ensure that the cookie is marked as secure, which prevents it from being sent over an insecure channel (e.g., HTTP), and with the httpOnly flag, which prevents it from being accessed by JavaScript in the browser, avoiding exfiltration by exploiting cross-site scripting vulnerabilities.

A revised Java example using encryption might look like this:

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.Cookie;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;

public class SecureCookieExample {

    private static SecretKey generateKey() throws Exception {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        keyGen.init(128);
        return keyGen.generateKey();
    }

    private static String encrypt(String plainText, SecretKey key) throws Exception {
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte[] encrypted = cipher.doFinal(StringUtils.getBytesUtf8(plainText));
        return Base64.encodeBase64String(encrypted);
    }

    public void addSecureCookie(javax.servlet.http.HttpServletResponse response, String username) throws Exception {
        SecretKey key = generateKey();
        String encryptedValue = encrypt(username, key);

        Cookie cookie = new Cookie("user", encryptedValue);
        cookie.setHttpOnly(true);
        cookie.setSecure(true);
        response.addCookie(cookie);
    }
}

In the revised example, creating a secure cookie involves encrypting the sensitive data before storing it in the cookie. The generateKey method creates a secret key for AES encryption, and the encrypt method encrypts the plain text. Additional attributes such as HttpOnly and Secure are set to further tighten security.

By encrypting the data and setting appropriate cookie attributes, you significantly decrease the risk of sensitive data exposure through cookies.

References