Insecurely generated cookies
Need
Secure generation and handling of cookies
Context
- Usage of Dart for building cross-platform mobile, web, and desktop applications
- Usage of Shelf for managing and organizing data in a Node.js application
Description
Non compliant code
import 'package:shelf/shelf.dart' as shelf;
shelf.Response handleRequest(shelf.Request request) {
var response = shelf.Response.ok('Hello, World!');
return shelf.changeMiddleware(
response.change(headers: {
'Set-Cookie': 'sessionId=123456; Path=/;'
}),
);
}
The above code snippet represents a simple server-side Dart application using the shelf
framework. This function handleRequest
processes incoming requests and returns a response.
The vulnerability lies in the way the Set-Cookie
HTTP header is being set. It sets a sessionId
cookie without any security attributes, such as Secure
or HttpOnly
.
- The
Secure
attribute ensures that the cookie is sent only over HTTPS connections, which protects it from being intercepted during transmission. - The
HttpOnly
attribute ensures that the cookie cannot be accessed through client-side scripts, which protects it from cross-site scripting (XSS) attacks.
In the current state, the cookie can be sent over unsecured HTTP connections and can be accessed via client-side scripts, making it vulnerable to interception and unauthorized access.
Steps
- Use the 'Secure' attribute in the 'Set-Cookie' HTTP response header. This attribute instructs the browser to only send the cookie over an encrypted HTTPS connection.
- Use the 'HttpOnly' attribute in the 'Set-Cookie' HTTP response header. This attribute prevents client-side scripts from accessing the cookie, mitigating the risk of cross-site scripting (XSS) attacks.
- Ensure that the 'SameSite' attribute is set to 'Strict' or 'Lax' in the 'Set-Cookie' HTTP response header. This attribute helps to mitigate the risk of cross-site request forgery (CSRF) attacks.
Compliant code
import 'package:shelf/shelf.dart' as shelf;
shelf.Response handleRequest(shelf.Request request) {
var response = shelf.Response.ok('Hello, World!');
return shelf.changeMiddleware(
response.change(headers: {
'Set-Cookie': 'sessionId=123456; Path=/; Secure; HttpOnly; SameSite=Strict'
}),
);
}
The updated code now sets the 'Secure', 'HttpOnly', and 'SameSite' attributes for the 'Set-Cookie' HTTP response header.
-
The 'Secure' attribute instructs the browser to only send the cookie over an encrypted HTTPS connection. This prevents the cookie from being sent in plain text, which could be intercepted and read by unauthorized users.
-
The 'HttpOnly' attribute prevents client-side scripts from accessing the cookie. This mitigates the risk of cross-site scripting (XSS) attacks, where an attacker could use a script to read the cookie and gain unauthorized access to the session.
-
The 'SameSite' attribute is set to 'Strict', which means the cookie will only be sent in a first-party context (i.e., if the URL in the browser's address bar matches the domain of the cookie). This helps to mitigate the risk of cross-site request forgery (CSRF) attacks, where an attacker could trick a user into performing an action on a website where they are authenticated.
By setting these attributes, the system ensures that sensitive cookies are not disclosed to unauthorized users or sent over insecure connections.