Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
Weakness ID: 614 (Weakness Variant) | Status: Draft |
Description Summary
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Example 1
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).
(Bad Code)
Example Language: Java
Cookie c = new Cookie(ACCOUNT_ID, acctID);
response.addCookie(c);
Reference | Description |
---|---|
CVE-2004-0462 | A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product. |
CVE-2008-3663 | A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
CVE-2008-3662 | A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
CVE-2008-0128 | A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Base | 311 | Missing SecurityDatabase\Encrypt\Encryption of Sensitive Data | Development Concepts (primary)699 Research Concepts (primary)1000 |
CAPEC-ID | Attack Pattern Name | (CAPEC Version: 1.4) |
---|---|---|
102 | Session Sidejacking |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
Anonymous Tool Vendor (under NDA) | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Potential Mitigations, Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2008-10-14 | CWE Content Team | MITRE | Internal | |
updated Observed Examples | ||||
2009-03-10 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Related Attack Patterns | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | Unset Secure Attribute for Sensitive Cookies in HTTPS Session | |||