Reliance on Cookies without Validation and Integrity Checking
Weakness ID: 565 (Weakness Base)Status: Incomplete
+ Description

Description Summary

The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Extended Description

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways.

+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences
ScopeEffect
Authorization

It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level.

+ Demonstrative Examples

Example 1

The following code excerpt reads a value from a browser cookie to determine the role of the user.

(Bad Code)
Example Language: Java 
Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("role")) {
userRole = c.getValue();
}
}
+ Potential Mitigations

Phase: Architecture and Design

Avoid using cookie data for a security-related decision.

Phase: Implementation

Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.

Phase: Architecture and Design

Add integrity checks to detect tampering.

Phase: Architecture and Design

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory254Security Features
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base602Client-Side Enforcement of Server-Side Security
Research Concepts1000
ChildOfWeakness ClassWeakness Class642External Control of Critical State Data
Research Concepts (primary)1000
ParentOfWeakness VariantWeakness Variant784Reliance on Cookies without Validation and Integrity Checking in a Security Decision
Development Concepts (primary)699
Research Concepts (primary)1000
+ Relationship Notes

This problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..

+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
31Accessing/Intercepting/Modifying HTTP Cookies
39Manipulating Opaque Client-based Data Tokens
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Anonymous Tool Vendor (under NDA)Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Potential Mitigations, Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Other Notes, Taxonomy Mappings
2009-01-12CWE Content TeamMITREInternal
updated Common Consequences, Description, Other Notes, Potential Mitigations, Relationships
2009-07-16
(Critical)
CWE Content TeamMITREInternal
Clarified name and description; broadened the definition to include any security-critical operation, not just security decisions, to allow for relationships with injection weaknesses.
2009-07-27CWE Content TeamMITREInternal
updated Description, Name, Potential Mitigations, Relationship Notes, Relationships, Taxonomy Mappings
2009-10-29CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Use of Cookies
2009-07-27Use of Cookies in Security Decision
Back to top