Sensitive Cookie in HTTPS Session Without 'Secure' AttributeID: 614 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Variant |
Description
The Secure attribute for sensitive cookies in HTTPS sessions is
not set, which could cause the user agent to send those cookies in plaintext
over an HTTP session.
Applicable PlatformsNone
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Always set the secure attribute when the cookie should sent via HTTPS
only. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-614 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The snippet of code below, taken from a servlet doPost() method,
sets an accountID cookie (sensitive) without calling
setSecure(true).
Observed Examples
- CVE-2004-0462 : A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
- CVE-2008-3663 : A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- CVE-2008-3662 : A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- CVE-2008-0128 : A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
Anonymous Tool Vendor (under NDA) | | | |
References:None