The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways. 1000 Weakness ChildOf 642 699 Category ChildOf 254 1000 Weakness ChildOf 602 888 Category ChildOf 898 This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks.. Architecture and Design Implementation Access_Control Gain privileges / assume identity It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level. Architecture and Design Avoid using cookie data for a security-related decision. Implementation Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision. Architecture and Design Add integrity checks to detect tampering. Architecture and Design Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client. The following code excerpt reads a value from a browser cookie to determine the role of the user. Java Cookie[] cookies = request.getCookies(); for (int i =0; i< cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals("role")) { userRole = c.getValue(); } } It is easy for an attacker to modify the "role" value found in the locally stored cookie, allowing privilege escalation. 31 39 Anonymous Tool Vendor (under NDA) Sean Eidemiller Cigital 2008-07-01 added/updated demonstrative examples Eric Dalci Cigital 2008-07-01 updated Potential_Mitigations, Time_of_Introduction CWE Content Team MITRE 2008-09-08 updated Relationships, Other_Notes, Taxonomy_Mappings CWE Content Team MITRE 2009-01-12 updated Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships CWE Content Team MITRE 2009-07-16 Clarified name and description; broadened the definition to include any security-critical operation, not just security decisions, to allow for relationships with injection weaknesses. CWE Content Team MITRE 2009-07-27 updated Description, Name, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings CWE Content Team MITRE 2009-10-29 updated Relationships CWE Content Team MITRE 2011-06-01 updated Common_Consequences CWE Content Team MITRE 2012-05-11 updated Demonstrative_Examples, Relationships Use of Cookies Use of Cookies in Security Decision