Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2608

Cookies and form values should not be relied on to make security decisions

    Details

    • Type: Vulnerability Detection
    • Status: Superseded
    • Resolution: Unresolved
    • Message:
      Security decisions should not be made based on this [cookie|form value].
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      C#, C++, Flex, HTML, Java, Objective-C, PHP, Python, Swift, VB.Net, VB6
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • CWE:
      CWE-807
    • SANS Top 25:
      Porous Defenses

      Description

      Cookie values and the contents of form fields - both visible and hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs.

      This rule logs an issue whenever form fields and cookie values are accessed.

      Noncompliant Code Example

       
      public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        Cookie [] cookies = request.getCookies(); // Noncompliant
        String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
        Map<String,String[]> params = request.getParameterMap(); // Noncompliant
        String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray");  // Noncompliant
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: