Details
-
Type:
Security Hotspot Detection
-
Status: Deprecated
-
Resolution: Unresolved
-
Labels:None
-
Message:Make sure that this cookie is written safely.
-
Default Severity:Minor
-
Impact:Low
-
Likelihood:Low
-
Covered Languages:C#, Java, JavaScript, PHP, TypeScript, VB.Net
-
Remediation Function:Constant/Issue
-
Constant Cost:5min
-
Analysis Level:Syntactic Analysis
-
Analysis Scope:Main Sources
-
Implementation details:
-
Common Rule:Yes
Description
Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:
Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.
This rule flags code that writes cookies.
Ask Yourself Whether
- sensitive information is stored inside the cookie.
You are at risk if you answered yes to this question.
Recommended Secure Coding Practices
Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer than the user session.
Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the original information will be exposed.
Using cookies only for session IDs doesn't make them secure. Follow OWASP best practices when you configure your cookies.
As a side note, every information read from a cookie should be Sanitized.
See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- MITRE, CWE-312 - Cleartext Storage of Sensitive Information
- MITRE, CWE-315 - Cleartext Storage of Sensitive Information in a Cookie
- CERT, FIO52-J. - Do not store unencrypted sensitive information on the client side
- Derived from FindSecBugs rule COOKIE_USAGE
Attachments
Issue Links
- breaks down into
-
SONARJAVA-2889 S2255 FN: update implementation to include Cookie reading
-
- Closed
-
- is implemented by
-
SONARJAVA-2670 Rule S2255: Cookies should not be used to store sensitive information
-
- Closed
-
-
SONARPHP-799 Rule S2255: Cookies should not be used to store sensitive information
-
- Closed
-
-
SONARPY-315 Rule S2255: Writing cookies is security-sensitive
-
- Closed
-
-
SONARJAVA-3093 Rule S2255: update implementation to NOT include Cookie reading
-
- Closed
-
-
SONARPHP-823 Rule S2255: update implementation to include Cookie reading
-
- Closed
-
-
SONARPHP-917 Rule S2255: update implementation to NOT include Cookie reading
-
- Closed
-
- is related to
-
SONARJAVA-3737 Improve rules relying on String literals to support identifier from a final or effectively final variable.
-
- Closed
-
- relates to
-
SONARJAVA-2770 S2255: add support for Play Framework Cookie and CookieBuilder
-
- Closed
-
-
SONARJAVA-2769 S2255 should not raise issues for null value stored in a Cookie
-
- Closed
-
- links to
1.
|
Java | RSPEC-4554 |
|
Active | Unassigned | |
2.
|
C# | RSPEC-4555 |
|
Active | Unassigned | |
3.
|
PHP | RSPEC-4709 |
|
Active | Unassigned | |
4.
|
VB.NET | RSPEC-5038 |
|
Active | Unassigned | |
5.
|
JavaScript | RSPEC-5084 |
|
Active | Unassigned | |
6.
|
Python | RSPEC-5233 |
|
Active | Unassigned |