logo

Reliance on Cookies without Validation and Integrity Checking

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user.

This vulnerability occurs when an application uses cookies to make security decisions—like granting access or changing settings—but fails to verify that the cookie data is legitimate, unaltered, and belongs to the current user.
Extended Description

Cookies are often used to store session identifiers, user preferences, or state information, but they are controlled by the client's browser. When an application blindly trusts cookie values without validating their integrity or checking if they match the authenticated user's session, attackers can forge or manipulate cookies to impersonate other users, escalate privileges, or bypass security controls. To prevent this, developers should treat all client-side data, including cookies, as untrusted input. Implement server-side validation for any cookie used in security decisions, use cryptographically signed or encrypted cookies to prevent tampering, and bind session cookies to specific user attributes (like IP address or user agent) to detect session hijacking attempts.
Common Consequences 2
Scope: ConfidentialityIntegrityAvailability

Impact: Modify Application DataExecute Unauthorized Code or Commands

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways.

Scope: Access Control

Impact: Gain Privileges or Assume Identity

It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 4
Phase: Architecture and Design
Avoid using cookie data for a security-related decision.
Phase: Implementation
Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Phase: Architecture and Design
Add integrity checks to detect tampering.
Phase: Architecture and Design
Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.
Demonstrative Examples 1

ID : DX-61

The following code excerpt reads a value from a browser cookie to determine the role of the user.

Code Example:

Bad
Java
java
It is easy for an attacker to modify the "role" value found in the locally stored cookie, allowing privilege escalation.
Observed Examples 1
CVE-2008-5784e-dating application allows admin privileges by setting the admin cookie to 1.
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: External Control of Critical State Data (CWE-642)
ChildOf: Incorrect Resource Transfer Between Spheres (CWE-669)
ChildOf: Client-Side Enforcement of Server-Side Security (CWE-602)
Taxonomy Mapping
  • Software Fault Patterns
Notes
RelationshipThis problem can be primary to many types of weaknesses in web applications. A developer may perform proper validation against URL parameters while assuming that attackers cannot modify cookies. As a result, the program might skip basic input validation to enable cross-site scripting, SQL injection, price tampering, and other attacks..