Cookies In Security Decision

ID

python.cookies_in_security_decision

Severity

high

Resource

Authentication

Language

Python

Tags

CWE:784, NIST.SP.800-53, OWASP:2021:A8, PCI-DSS:6.5.6

Description

Reliance on cookies without validation and integrity checking in a security decision.

Rationale

Cookies are often used in web applications to maintain state, manage sessions, and track user activity. However, relying solely on cookie values for making security decisions can lead to vulnerabilities due to the inherent risk of cookie manipulation.

Attackers can potentially capture, forge, or modify cookies, influencing application behavior maliciously. According to CWE 784, relying on cookies for security decisions without additional verification increases the application’s attack surface.

Consider the following Python snippet:

from django.contrib.auth.models import User

def check(request):
    for cookie in request.COOKIES:
        if "role" == cookie.name:
            perm = cookie.value

            elon = User.objects.get(username="elon")

            if elon.has_perm(perm): # FLAW
                doAdminOperation(req, res)

In this example, the security decision to grant admin access is purely based on the cookie value, role, which an attacker can easily forge to gain unauthorized access.

Remediation

To mitigate the risks associated with using cookies for security decisions, implement a robust strategy including:

  1. Use Secure and HTTPOnly Flags: Ensure the cookies are set with the Secure flag (transmitted over HTTPS only) and HttpOnly flag (not accessible via JavaScript) to protect against theft and manipulation.

  2. Use Cryptographically Secure Tokens: Instead of relying on simple cookie values, use cryptographically secure tokens, such as JWT (JSON Web Tokens), which can be verified and are tamper-proof by design.

  3. Implement Server-Side Validation: Critical security decisions should be validated on the server side using trusted and protected session identifiers or tokens stored on the server.

  4. Conduct Regular Security Assessments: Regularly review and test applications for security weaknesses using SAST and penetration testing tools to ensure that vulnerabilities are identified and addressed promptly.

By applying these security measures, developers can prevent unauthorized access and ensure that cookies do not negatively influence critical security decisions.

References