Cookie Poisoning

Risk:
Informational

Type:
Passive

CWE:
CWE-565

Summary: This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Solution: Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.

Other info: An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;). This was identified at: https://example.com/transact User-input was found in the following cookie: value=poison; SameSite=Strict The user input was: place=poison

References

https://en.wikipedia.org/wiki/HTTP_cookie

https://cwe.mitre.org/data/definitions/565.html

Latest Security News

Latest CVE List

Common Security Alerts

InformationalGraphQL Endpoint Supports Introspection
MediumSession ID in URL Rewrite
MediumAnti-CSRF Tokens Check
InformationalServer Leaks its Webserver Application via "Server" HTTP Response Header Field
LowStrict-Transport-Security Header Not Set
LowInformation Disclosure - Debug Error Messages
InformationalBase64 Disclosure
MediumBackup File Disclosure
LowPermissions Policy Header Not Set
HighGeneric Padding Oracle

Top CWE List

Free online web security scanner

Don't show website scan report rating on the leaderboard