Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2255

Writing cookies is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Deprecated
    • Resolution: Unresolved
    • Message:
      Make sure that this cookie is written safely.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Targeted languages:
      C++, Flex, HTML, Objective-C, Python, Swift, VB6
    • Covered Languages:
      C#, Java, JavaScript, PHP, TypeScript, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-807
    • SANS Top 25:
      Porous Defenses

      Description

      Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:

      Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.

      This rule flags code that writes cookies.

      Ask Yourself Whether

      • sensitive information is stored inside the cookie.

      You are at risk if you answered yes to this question.

      Recommended Secure Coding Practices

      Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.

      Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.

      Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.

      As a side note, every information read from a cookie should be Sanitized.

      See

        Attachments

          Issue Links

          breaks down into

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-2889 S2255 FN: update implementation to include Cookie reading

          • Major - Major loss of function.
          • Closed
          is implemented by

          New Feature - A new feature of the product, which has yet to be developed. SONARPY-315 Rule S2255: Writing cookies is security-sensitive

          • Major - Major loss of function.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. SONARJAVA-2670 Rule S2255: Cookies should not be used to store sensitive information

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. SONARPHP-799 Rule S2255: Cookies should not be used to store sensitive information

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-3093 Rule S2255: update implementation to NOT include Cookie reading

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARPHP-823 Rule S2255: update implementation to include Cookie reading

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. SONARPHP-917 Rule S2255: update implementation to NOT include Cookie reading

          • Major - Major loss of function.
          • Closed

          MMF - Minimum Marketable Feature MMF-1269 Pack of C# Rules targeting Security Hotspots

          • Major - Major loss of function.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SONARJAVA-2770 S2255: add support for Play Framework Cookie and CookieBuilder

          • Major - Major loss of function.
          • Closed

          False-Positive - Unexpected issue reported by a rule SONARJAVA-2769 S2255 should not raise issues for null value stored in a Cookie

          • Major - Major loss of function.
          • Closed
          supercedes

          Vulnerability Detection - RSPEC-2608 Cookies and form values should not be relied on to make security decisions

          • Superseded
          links to

          Web Link C# VB.Net - Update S2255: Remove Cookie reading from Rule S2255

          Web Link C# VB.Net - Update S2255: Update SonarC# implementation to include Cookie reading, implement the rule in SonarVB

          Web Link is implemented by sonar-csharp/issues/1287

          Web Link JS - Rule S2255: update implementation to NOT include Cookie reading #1232

          1.
          		 Java RSPEC-4554 Language-Specification Active Unassigned
          2.
          		 C# RSPEC-4555 Language-Specification Active Unassigned
          3.
          		 PHP RSPEC-4709 Language-Specification Active Unassigned
          4.
          		 VB.NET RSPEC-5038 Language-Specification Active Unassigned
          5.
          		 JavaScript RSPEC-5084 Language-Specification Active Unassigned
          6.
          		 Python RSPEC-5233 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                freddy.mallet Freddy Mallet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: