Plaintext Storage In Cookie

ID

csharp.plaintext_storage_in_cookie

Severity

low

Resource

Information Leak

Language

CSharp

Tags

CWE:315, NIST.SP.800-53, OWASP:2021:A4

Description

Cleartext storage of sensitive information in a cookie occurs when sensitive data is stored in cookies without any form of encryption, potentially exposing it to unauthorized access.

This vulnerability can lead to information disclosure and can be exploited by attackers who gain access to the cookies.

Rationale

This vulnerability arises when sensitive information such as usernames, session IDs, or authentication tokens are stored directly in cookie values without being encrypted. This practice poses a security risk because cookies can be intercepted over unsecured channels, or accessed by other scripts (e.g., cross-site scripting attacks).

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;

public class CookieExampleController : Controller
{
    public IActionResult AddCookie(string username)
    {
        // VULNERABLE: Store the username (a sensitive value) in plaintext in a cookie
        Response.Cookies.Append("user", username);
        return Content("Cookie has been set.");
    }
}

In this example, the username is stored directly in the cookie without encryption, making it susceptible to interception and unauthorized access. It is crucial to ensure that sensitive data is protected when stored in cookies to prevent information leakage and ensure compliance with data protection regulations.

Remediation

If possible, do not store sensitive information in cookies. Having sensitive data stored in a cookie could be a sign of bad design. Instead of storing e.g. user details in a cookie, store them at the application backend and use session tokens to identify the user. Proper session handling is essential to prevent session fixation attacks.

If you really need to store sensitive information in a cookie, ensure that it is encrypted at the backend. Use safe encryption standards and cryptographic libraries to achieve this.

Ensure that the cookie is marked as secure, which prevents it from being sent over an insecure channel (e.g., HTTP), and with the httpOnly flag, which prevents it from being accessed by JavaScript in the browser, avoiding exfiltration by exploiting cross-site scripting vulnerabilities.

A revised C# example using encryption might look like this:

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Http;
using System.Security.Cryptography;
using System.Text;

public class CookieExampleController : Controller
{
    public IActionResult AddCookie(string username)
    {
        // Hash the username using SHA-256
        string hashedUsername = ComputeSha256Hash(username);

        // Store the hashed username in the cookie
        Response.Cookies.Append("user", hashedUsername, new CookieOptions
        {
            HttpOnly = true,
            Secure = true,
            SameSite = SameSiteMode.Strict,
            Expires = DateTimeOffset.UtcNow.AddDays(7)
        });

        return Content("Hashed cookie has been set.");
    }

    private string ComputeSha256Hash(string rawData)
    {
        using (SHA256 sha256 = SHA256.Create())
        {
            byte[] bytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(rawData));
            // Convert byte array to a hex string
            StringBuilder builder = new StringBuilder();
            foreach (byte b in bytes)
                builder.Append(b.ToString("x2"));
            return builder.ToString();
        }
    }
}

In the revised example, creating a secure cookie involves hashing the sensitive data before storing it in the cookie. The ComputeSha256Hash method protects the username from unauthorized access, allowing for later verification. Additional attributes such as HttpOnly and Secure are set to further tighten security.

By encrypting / hashing the data and setting appropriate cookie attributes, you significantly decrease the risk of sensitive data exposure through cookies.

References