CWE-784 - Reliance on Cookies without Validation and Integrity Checking in a Security Decision

Read Time:1 Minute, 47 Second

Description

The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

Related Weaknesses

CWE-807
CWE-565

Consequences

Access Control: Bypass Protection Mechanism, Gain Privileges or Assume Identity

It is dangerous to use cookies to set a user’s privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred.

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description:

Avoid using cookie data for a security-related decision.

Phase: Implementation

Effectiveness:

Description:

Perform thorough input validation (i.e.: server side validation) on the cookie data if you’re going to use it for a security related decision.

Phase: Architecture and Design

Effectiveness:

Description:

Add integrity checks to detect tampering.

Phase: Architecture and Design

Effectiveness:

Description:

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

CVE References

CVE-2009-1549
- Attacker can bypass authentication by setting a cookie to a specific value.

CVE-2009-1619
- Attacker can bypass authentication and gain admin privileges by setting an “admin” cookie to 1.

CVE-2009-0864
- Content management system allows admin privileges by setting a “login” cookie to “OK.”

CVE-2008-5784
- e-dating application allows admin privileges by setting the admin cookie to 1.

CVE-2008-6291
- Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to “admin.”

InCVE-2009-1549, CWE- 784, Reliance on Cookies without Validation and Integrity Checking in a Security Decision

White House to Tackle AI-Generated Sexual Abuse Images

Legacy Ivanti Cloud Service Appliance Being Exploited

Half of UK Firms Lack Basic Cybersecurity Skills

Advanced Phishing Attacks Put X Accounts at Risk

Apple to Drop Spyware Lawsuit Over Security Concerns

Tackling the Unique Cybersecurity Challenges of Online Learning Platforms

Meta Goes Ahead With Controversial AI Training in UK

23andMe Agrees to $30m Data Breach Settlement

UK Hosts International Cyber Skills Conference

CWE-784 – Reliance on Cookies without Validation and Integrity Checking in a Security Decision

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security