Unsafe Cookie

ID

java.unsafe_cookie

Severity

high

Resource

Misconfiguration

Language

Java

Tags

CWE:1004, CWE:315, CWE:539, CWE:614, NIST.SP.800-53, PCI-DSS:6.5.10

Description

Unsafe cookie handling encompasses multiple vulnerabilities related to the improper management of cookies, which can lead to security issues such as disclosure of sensitive information or session hijacking.

Relevant weaknesses include improper storage (CWE-315), expired session management (CWE-539), insufficient transport security (CWE-614), and exposure to cross-site scripting risks (CWE-1004).

Rationale

Cookies are often used to store session identifiers and other sensitive information. Several potential vulnerabilities arise if cookies are not handled securely:

  • CWE-315: Cleartext Storage of Sensitive Information in a Cookie: Storing sensitive information in cookies without encryption can lead to unauthorized disclosure.

  • CWE-539: Use of Persistent Cookies Containing Sensitive Information: Persistent cookies that remain valid after a session can be exploited if not handled properly.

  • CWE-614: Sensitive Cookie in HTTPS Session without 'Secure' Attribute: Cookies without the Secure attribute can be transmitted over unencrypted connections, exposing them to interception.

  • CWE-1004: Sensitive Cookie without 'HttpOnly' Flag: Cookies accessible to client-side scripts can be stolen via cross-site scripting attacks.

Consider this example illustrating some unsafe practices:

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;

public class InsecureCookieExample {
    public void setCookie(HttpServletResponse response) {
        Cookie cookie = new Cookie("sessionId", "abc123");

        // Insecure practices: missing Secure and HttpOnly attributes
        response.addCookie(cookie);
    }
}

In this example, the session identifier cookie is added without the Secure and HttpOnly attributes, exposing it to potential security risks.

Remediation

To secure cookies in web applications, implement the following practices:

  1. Use the Secure Attribute: Always set the Secure attribute on cookies if your application supports HTTPS. This ensures cookies are only sent over secure channels.

  2. Set the HttpOnly Attribute: Apply the HttpOnly attribute to cookies that store sensitive data, preventing access from client-side scripts and mitigating XSS risks.

  3. Avoid Storing Sensitive Data in Cookies: Encrypt any sensitive data stored in cookies and, where possible, avoid storing information like passwords or sensitive session data directly.

  4. Manage Cookie Expirations Wisely: Use session cookies rather than persistent ones for sensitive information, ensuring they expire appropriately and reduce the risk of exploitation.

  5. Regularly Audit Cookie Usage: Review cookies in use on your website to ensure best practices are consistently applied.

Here’s a secure implementation:

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;

public class SecureCookieExample {
    public void setSecureCookie(HttpServletResponse response) {
        Cookie cookie = new Cookie("sessionId", "encryptedValue");

        // Secure practices: adding Secure and HttpOnly attributes
        cookie.setSecure(true);
        cookie.setHttpOnly(true);

        // Set a reasonable session timeout
        cookie.setMaxAge(-1);  // Session cookie

        response.addCookie(cookie);
    }
}

This example demonstrates best practices, ensuring that cookies are transmitted securely and are protected from client-side access, greatly reducing the risk of session hijacking and data exposure.

Configuration

The detector has the following configurable parameters:

  • checkPersistence, that indicates if the persistence of the cookie must be checked.

  • invalidCookieNamePattern, that indicates the pattern used to detect invalid cookie names.

  • invalidDomainPattern, that indicates the pattern used to detect invalid domain names.

  • invalidPathPattern, that indicates the pattern used to detect invalid paths.

  • enforceHttpOnly, that indicates if the HttpOnly flag of the cookie must be checked.

  • enforceSecure, that indicates if the Secure flag of the cookie must be checked.

References

  • CWE-315 : Cleartext Storage of Sensitive Information in a Cookie.

  • CWE-539 : Use of Persistent Cookies Containing Sensitive Information.

  • CWE-614 : Sensitive Cookie in HTTPS Session without 'Secure' Attribute.

  • CWE-1004 : Sensitive Cookie without 'HttpOnly' Flag.

  • OWASP - Top 10 2021 Category A05 : Security Misconfiguration.