Skip to main content

Insecurely generated cookies

Description

The system does not set security attributes for sensitive cookies, which could cause them to be sent in plain text or disclosed by unauthorized users on the client side.

Impact

Send plain text session cookies through insecure channels.

Recommendation

The application must set the corresponding security attributes when cookies are generated.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:X
  • Score:
    • Base: 4.2
    • Temporal: 3.8
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

using System.Net;
using System;

namespace cookies {
public class CookieExample {
public static void Main(string[] args) {
var secure_cookie = new HttpCookie(key , value);
secure_cookie.Expires = DateTime.Now.AddDays(expireDay);
secure_cookie.HttpOnly = true;
secure_cookie.Secure = true;
}
}
}

Non compliant code

Incorrectly configured cookie settings

using System.Net;
using System;

namespace cookies{
public class CookieExample{
public static void Main(string[] args) {
var insecure_cookie = new HttpCookie(key , value);
insecure_cookie.Expires = DateTime.Now.AddDays(expireDay);
insecure_cookie.HttpOnly = true;

var insecure = new HttpCookie(key , value);
}
}
}

Requirements