Unsafe Cookie

ID

csharp.unsafe_cookie

Severity

high

Resource

Misconfiguration

Language

CSharp

Tags

CWE:1004, CWE:315, CWE:539, CWE:614, NIST.SP.800-53, PCI-DSS:6.5.10

Description

Unsafe cookie handling encompasses multiple vulnerabilities related to the improper management of cookies, which can lead to security issues such as disclosure of sensitive information or session hijacking.

Relevant weaknesses include improper storage (CWE-315), expired session management (CWE-539), insufficient transport security (CWE-614), and exposure to cross-site scripting risks (CWE-1004).

Rationale

Cookies are often used to store session identifiers and other sensitive information. Several potential vulnerabilities arise if cookies are not handled securely:

  • CWE-315: Cleartext Storage of Sensitive Information in a Cookie: Storing sensitive information in cookies without encryption can lead to unauthorized disclosure.

  • CWE-539: Use of Persistent Cookies Containing Sensitive Information: Persistent cookies that remain valid after a session can be exploited if not handled properly.

  • CWE-614: Sensitive Cookie in HTTPS Session without 'Secure' Attribute: Cookies without the Secure attribute can be transmitted over unencrypted connections, exposing them to interception.

  • CWE-1004: Sensitive Cookie without 'HttpOnly' Flag: Cookies accessible to client-side scripts can be stolen via cross-site scripting attacks.

Consider this example illustrating some unsafe practices:

using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http.Extensions;
// ... namespace and type declaration not shown

private const string COOKIE_NAME = "SecureCookie";

public void Dummy(HttpResponse res)
{
    var options = new CookieOptions
    {
        MaxAge = TimeSpan.FromDays(1), // CWE-539: Persistent cookie
        Secure = false,                // CWE-614: Secure flag not set
        HttpOnly = false               // CWE-1004: HttpOnly not enforced
    };

    res.Cookies.Append(COOKIE_NAME, "value", options);
}

In this example, the cookie is persistent and added without the Secure and HttpOnly attributes, exposing it to potential security risks.

Remediation

To secure cookies in web applications, implement the following practices:

  1. Use the Secure Attribute: Always set the Secure attribute on cookies if your application supports HTTPS. This ensures cookies are only sent over secure channels.

  2. Set the HttpOnly Attribute: Apply the HttpOnly attribute to cookies that store sensitive data, preventing access from client-side scripts and mitigating XSS risks.

  3. Avoid Storing Sensitive Data in Cookies: Encrypt any sensitive data stored in cookies and, where possible, avoid storing information like passwords or sensitive session data directly.

  4. Manage Cookie Expirations Wisely: Use session cookies rather than persistent ones for sensitive information, ensuring they expire appropriately and reduce the risk of exploitation.

  5. Regularly Audit Cookie Usage: Review cookies in use on your website to ensure best practices are consistently applied.

Here is a secure implementation:

using System.Web;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http.Extensions;
// ... namespace and type declaration not shown

private const string COOKIE_NAME = "SecureCookie";

public void CreateCookie(HttpRequest req, HttpResponse res)
{
    var options = new CookieOptions
    {
        Secure = true, // only sent over HTTPS
        HttpOnly = true, // good for XSS
        MaxAge = null, // not persistent
        SameSite = SameSiteMode.Strict, // bonus to help protecting against CSRF
        Path = req.PathBase.HasValue ? req.PathBase.Value : "/", // proper path
        Domain = req.Url.Host // proper domain
    };

    res.Cookies.Append(COOKIE_NAME, "value", options);
}

This example demonstrates best practices for transmitting cookies securely and protecting them from client-side access. This greatly reduces the risk of data exposure, cross-site scripting, cross-site request forgery, and session hijacking, especially if the cookie is a session cookie.

Configuration

The detector has the following configurable parameters:

  • checkPersistence, that indicates if the persistence of the cookie must be checked.

  • invalidCookieNamePattern, that indicates the pattern used to detect invalid cookie names.

  • invalidDomainPattern, that indicates the pattern used to detect invalid domain names.

  • invalidPathPattern, that indicates the pattern used to detect invalid paths.

  • enforceHttpOnly, that indicates if the HttpOnly flag of the cookie must be checked.

  • enforceSecure, that indicates if the Secure flag of the cookie must be checked.

References

  • CWE-315 : Cleartext Storage of Sensitive Information in a Cookie.

  • CWE-539 : Use of Persistent Cookies Containing Sensitive Information.

  • CWE-614 : Sensitive Cookie in HTTPS Session without 'Secure' Attribute.

  • CWE-1004 : Sensitive Cookie without 'HttpOnly' Flag.

  • OWASP - Top 10 2021 Category A05 : Security Misconfiguration.