Skip to main content

Insecurely generated cookies

Need

Secure generation and handling of cookies

Context

  • Usage of Dart for building cross-platform mobile, web, and desktop applications
  • Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  var response = shelf.Response.ok('Hello, World!');
  return shelf.changeMiddleware(
    response.change(headers: {
      'Set-Cookie': 'sessionId=123456; Path=/;'
    }),
  );
}

The above code snippet represents a simple server-side Dart application using the shelf framework. This function handleRequest processes incoming requests and returns a response.

The vulnerability lies in the way the Set-Cookie HTTP header is being set. It sets a sessionId cookie without any security attributes, such as Secure or HttpOnly.

  • The Secure attribute ensures that the cookie is sent only over HTTPS connections, which protects it from being intercepted during transmission.
  • The HttpOnly attribute ensures that the cookie cannot be accessed through client-side scripts, which protects it from cross-site scripting (XSS) attacks.

In the current state, the cookie can be sent over unsecured HTTP connections and can be accessed via client-side scripts, making it vulnerable to interception and unauthorized access.

Steps

  • Use the 'Secure' attribute in the 'Set-Cookie' HTTP response header. This attribute instructs the browser to only send the cookie over an encrypted HTTPS connection.
  • Use the 'HttpOnly' attribute in the 'Set-Cookie' HTTP response header. This attribute prevents client-side scripts from accessing the cookie, mitigating the risk of cross-site scripting (XSS) attacks.
  • Ensure that the 'SameSite' attribute is set to 'Strict' or 'Lax' in the 'Set-Cookie' HTTP response header. This attribute helps to mitigate the risk of cross-site request forgery (CSRF) attacks.

Compliant code

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  var response = shelf.Response.ok('Hello, World!');
  return shelf.changeMiddleware(
    response.change(headers: {
      'Set-Cookie': 'sessionId=123456; Path=/; Secure; HttpOnly; SameSite=Strict'
    }),
  );
}

The updated code now sets the 'Secure', 'HttpOnly', and 'SameSite' attributes for the 'Set-Cookie' HTTP response header.

  • The 'Secure' attribute instructs the browser to only send the cookie over an encrypted HTTPS connection. This prevents the cookie from being sent in plain text, which could be intercepted and read by unauthorized users.

  • The 'HttpOnly' attribute prevents client-side scripts from accessing the cookie. This mitigates the risk of cross-site scripting (XSS) attacks, where an attacker could use a script to read the cookie and gain unauthorized access to the session.

  • The 'SameSite' attribute is set to 'Strict', which means the cookie will only be sent in a first-party context (i.e., if the URL in the browser's address bar matches the domain of the cookie). This helps to mitigate the risk of cross-site request forgery (CSRF) attacks, where an attacker could trick a user into performing an action on a website where they are authenticated.

By setting these attributes, the system ensures that sensitive cookies are not disclosed to unauthorized users or sent over insecure connections.

References

Last updated on