logo

Cleartext Storage of Sensitive Information in a Cookie

Draft Variant
Structure: Simple
Description

This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie without encryption.

Extended Description

Storing sensitive information in plain text within a cookie exposes it to immediate theft. Attackers can easily intercept or extract these cookies using common browser tools or network sniffers, gaining direct access to user credentials, session IDs, or other private data. Even if the data is encoded (e.g., using Base64), it does not provide security. Encoding is easily reversible, and attackers can quickly identify the encoding method and decode the information. To be secure, sensitive data in cookies must always be properly encrypted and integrity-protected.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Demonstrative Examples 1

ID : DX-44

The following code excerpt stores a plaintext user account ID in a browser cookie.

Code Example:

Bad
Java
java
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
Observed Examples 4
CVE-2002-1800Admin password in cleartext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Related Attack Patterns
Related Weaknesses
ChildOf: Cleartext Storage of Sensitive Information (CWE-312)
Taxonomy Mapping
  • PLOVER
  • Software Fault Patterns
Notes
TerminologyDifferent people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).