Tag Archives: CWE- 614

CWE-614 – Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

Read Time:1 Minute, 7 Second

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-311

 

Consequences

Confidentiality: Read Application Data

 

Potential Mitigations

Phase: Implementation

Description: 

Always set the secure attribute when the cookie should sent via HTTPS only.

CVE References

  • CVE-2004-0462
    • A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
  • CVE-2008-3663
    • A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
  • CVE-2008-3662
    • A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
  • CVE-2008-0128
    • A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.