Plaintext Storage in a Cookie
Weakness ID: 315 (Weakness Variant)Status: Draft
+ Description

Description Summary

Storing sensitive data in plaintext in a cookie makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.
+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms

Languages

All

+ Demonstrative Examples

Example 1

The following code excerpt stores a plaintext user account ID in a browser cookie.

(Bad Code)
Example Language: Java 
response.addCookie( new Cookie("userAccountID", acctID);
+ Observed Examples
ReferenceDescription
CVE-2002-1800SecurityDatabase\User\Admin password in plaintext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
+ Potential Mitigations

Sensitive information should not be stored in plaintext in a cookie. Even if heavy fortifications are in place, sensitive data should be encrypted to prevent the risk of losing confidentiality.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base312Cleartext Storage of Sensitive Information
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERPlaintext Storage in Cookie
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
31Accessing/Intercepting/Modifying HTTP Cookies
37Lifting Data Embedded in Client Distributions
39Manipulating Opaque Client-based Data Tokens
74Manipulating User State
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Plaintext Storage in Cookie
Back to top