Use of Persistent Cookies Containing Sensitive Information

Description

This vulnerability occurs when a web application stores sensitive data, like authentication details or personal information, within persistent cookies that remain on a user's device.

Extended Description

Cookies are small pieces of data set by a web application and stored locally in a user's browser. While they are essential for maintaining state—like keeping a user logged in or remembering site preferences—they become a security risk when sensitive information is written directly into a cookie that is saved to disk. Unlike session cookies, which are deleted when the browser closes, persistent cookies remain on the hard drive for a defined period, making the sensitive data they contain accessible long-term. Storing sensitive data such as usernames, passwords, session tokens, or personal details in a persistent cookie exposes it to theft or misuse. Attackers can extract these cookies from browser files or through cross-site scripting (XSS) attacks, potentially leading to account takeover or privacy violations. Developers should instead use persistent cookies only for non-sensitive identifiers, storing the actual sensitive data securely on the server side where it can be properly protected.

Common Consequences 1

Scope: Confidentiality

Impact: Read Application Data

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Architecture and Design

Do not store sensitive information in persistent cookies.