Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2255

Writing cookies is security-sensitive

    Details

    • Message:
      Make sure that this cookie is written safely.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C++, Flex, HTML, Objective-C, Python, Swift, VB6
    • Covered Languages:
      C#, Java, JavaScript, PHP, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CERT:
      FIO52-J.
    • CWE:
      CWE-315, CWE-312, CWE-565, CWE-807
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      COOKIE_USAGE

      Description

      Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:

      Attackers can use widely-available tools to read cookies, sensitive information written by the server will be exposed.

      This rule flags code that writes cookies.

      Ask Yourself Whether

      • sensitive information is stored inside the cookie.

      You are at risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.

      Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.

      Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.

      As a side note, every information read from a cookie should be Sanitized.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4554 Language-Specification Active Unassigned
          2.
          C# RSPEC-4555 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4709 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5038 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-5084 Language-Specification Active Unassigned
          6.
          Python RSPEC-5233 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: