Unsafe Cookie
ID |
javascript.unsafe_cookie |
Severity |
high |
Resource |
Misconfiguration |
Language |
JavaScript |
Tags |
CWE:1004, CWE:315, CWE:539, CWE:614, NIST.SP.800-53, PCI-DSS:6.5.10 |
Description
Unsafe cookie handling encompasses multiple vulnerabilities related to the improper management of cookies, which can lead to security issues such as disclosure of sensitive information or session hijacking.
Relevant weaknesses include improper storage (CWE-315), expired session management (CWE-539), insufficient transport security (CWE-614), and exposure to cross-site scripting risks (CWE-1004).
Rationale
Cookies are often used to store session identifiers and other sensitive information. Several potential vulnerabilities arise if cookies are not handled securely:
-
CWE-315: Cleartext Storage of Sensitive Information in a Cookie: Storing sensitive information in cookies without encryption can lead to unauthorized disclosure.
-
CWE-539: Use of Persistent Cookies Containing Sensitive Information: Persistent cookies that remain valid after a session can be exploited if not handled properly.
-
CWE-614: Sensitive Cookie in HTTPS Session without 'Secure' Attribute: Cookies without the Secure attribute can be transmitted over unencrypted connections, exposing them to interception.
-
CWE-1004: Sensitive Cookie without 'HttpOnly' Flag: Cookies accessible to client-side scripts can be stolen via cross-site scripting attacks.
The following is an example of an unsafe cookie:
var express = require('express');
var app = express();
app.get('/', function(req, res) {
// FLAW: persistent cookie, too-broad domain,
// cookie could be sent in clear, not httpOnly
res.cookie('secret-cookie', mySecret, {domain: '.com', secure: false, maxAge: 900000});
// ...
});Remediation
To secure cookies in web applications, implement the following practices:
-
Use the Secure Attribute: Always set the
Secureattribute on cookies if your application supports HTTPS. This ensures cookies are only sent over secure channels. -
Set the HttpOnly Attribute: Apply the
HttpOnlyattribute to cookies that store sensitive data, preventing access from client-side scripts and mitigating XSS risks. -
Avoid Storing Sensitive Data in Cookies: Encrypt any sensitive data stored in cookies and, where possible, avoid storing information like passwords or sensitive session data directly.
-
Manage Cookie Expirations Wisely: Use session cookies rather than persistent ones for sensitive information, ensuring they expire appropriately and reduce the risk of exploitation.
-
Regularly Audit Cookie Usage: Review cookies in use on your website to ensure best practices are consistently applied.
The following fixes the unsafe cookie vulnerability:
var express = require('express');
var app = express();
app.get('/', function(req, res) {
// FIXED
res.cookie('secret-cookie', mySecret, {domain: 'example.com', secure: true, httpOnly: true});
// ...
});Configuration
The detector has the following configurable parameters:
-
checkPersistence, that indicates if the persistence of the cookie must be checked. -
invalidCookieNamePattern, that indicates the pattern used to detect invalid cookie names. -
invalidDomainPattern, that indicates the pattern used to detect invalid domain names. -
invalidPathPattern, that indicates the pattern used to detect invalid paths. -
enforceHttpOnly, that indicates if the HttpOnly flag of the cookie must be checked. -
enforceSecure, that indicates if the Secure flag of the cookie must be checked.
References
-
CWE-315 : Cleartext Storage of Sensitive Information in a Cookie.
-
CWE-539 : Use of Persistent Cookies Containing Sensitive Information.
-
CWE-614 : Sensitive Cookie in HTTPS Session without 'Secure' Attribute.
-
CWE-1004 : Sensitive Cookie without 'HttpOnly' Flag.
-
OWASP - Top 10 2021 Category A05 : Security Misconfiguration.