Reliance on Cookies without Validation and Integrity Checking in a Security Decision| ID: 784 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The application uses a protection mechanism that relies on the
existence or values of a cookie, but it does not properly ensure that the cookie
is valid for the associated user.
Extended DescriptionAttackers can easily modify cookies, within the browser or by
implementing the client-side code outside of the browser. Attackers can
bypass protection mechanisms such as authorization and authentication by
modifying the cookie to contain an expected value.
Likelihood of Exploit: High
Applicable PlatformsLanguage Class: Language-independentArchitectural Paradigm: Web-basedArchitectural Paradigm: Often
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Bypass protection
mechanismGain privileges / assume
identity | It is dangerous to use cookies to set a user's privileges. The cookie
can be manipulated to claim a high level of authorization, or to claim
that successful authentication has occurred. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Avoid using cookie data for a security-related decision. | | |
| Implementation | | Perform thorough input validation (i.e.: server side validation) on
the cookie data if you're going to use it for a security related
decision. | | |
| Architecture and Design | | Add integrity checks to detect tampering. | | |
| Architecture and Design | | Protect critical cookies from replay attacks, since cross-site
scripting or other attacks may allow attackers to steal a
strongly-encrypted cookie that also passes integrity checks. This
mitigation applies to cookies that should only be valid during a single
transaction or session. By enforcing timeouts, you may limit the scope
of an attack. As part of your integrity check, use an unpredictable,
server-side value that is not exposed to the client. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-784 ChildOf CWE-442 | Category | CWE-699 | |
Demonstrative Examples (Details)
- In the following example, an authentication flag is read from a
browser cookie, thus allowing for external control of user state
data. (Demonstrative Example Id DX-17)
- The following code could be for a medical records application. It
performs authentication by checking if a cookie has been set. (Demonstrative Example Id DX-16)
- The following code excerpt reads a value from a browser cookie to
determine the role of the user. (Demonstrative Example Id DX-15)
Observed Examples
- CVE-2009-1549 : Attacker can bypass authentication by setting a cookie to a specific value.
- CVE-2009-1619 : Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1.
- CVE-2009-0864 : Content management system allows admin privileges by setting a "login" cookie to "OK."
- CVE-2008-5784 : e-dating application allows admin privileges by setting the admin cookie to 1.
- CVE-2008-6291 : Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin."
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Steve Christey .Unforgivable Vulnerabilities. 2007-08-02.
- M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 13, "Sensitive Data in Cookies and Fields" Page
435'. Published on 2002.
