{"@ID": "784", "@Name": "Reliance on Cookies without Validation and Integrity Checking in a Security Decision", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.", "Extended_Description": "Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "807", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "565", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Web Based", "@Prevalence": "Often"}, {"@Name": "Web Server", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation"}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": ["Bypass Protection Mechanism", "Gain Privileges or Assume Identity"], "Note": "It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Avoid using cookie data for a security-related decision."}, {"Phase": "Implementation", "Description": "Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision."}, {"Phase": "Architecture and Design", "Description": "Add integrity checks to detect tampering."}, {"Phase": "Architecture and Design", "Description": "Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-15", "Intro_Text": "The following code excerpt reads a value from a browser cookie to determine the role of the user.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "#text": "userRole = c.getValue();"}, "#text": "Cookie c = cookies[i];if (c.getName().equals(\"role\")) {}"}, "#text": "Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {}"}}}, {"@Demonstrative_Example_ID": "DX-16", "Intro_Text": "The following code could be for a medical records application. It performs authentication by checking if a cookie has been set.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "// save the cookie to send out in future responsessetcookie(\"authenticated\", \"1\", time()+60*60*2);"}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "ShowLoginScreen();die(\"\\n\");"}], "xhtml:br": null, "#text": "if (AuthenticateUser($_POST['user'], $_POST['password']) == \"success\") {}else {}"}, "#text": "$auth = $_COOKIES['authenticated'];if (! $auth) {}DisplayMedicalHistory($_POST['patient_ID']);"}}, "Body_Text": ["The programmer expects that the AuthenticateUser() check will always be applied, and the \"authenticated\" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie.", "However, the attacker can set the \"authenticated\" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication."]}, {"@Demonstrative_Example_ID": "DX-17", "Intro_Text": "In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "#text": "authenticated = true;"}, "#text": "Cookie c = cookies[i];if (c.getName().equals(\"authenticated\") && Boolean.TRUE.equals(c.getValue())) {}"}, "#text": "Cookie[] cookies = request.getCookies();for (int i =0; i< cookies.length; i++) {}"}}}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2009-1549", "Description": "Attacker can bypass authentication by setting a cookie to a specific value.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-1549"}, {"Reference": "CVE-2009-1619", "Description": "Attacker can bypass authentication and gain admin privileges by setting an \"admin\" cookie to 1.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-1619"}, {"Reference": "CVE-2009-0864", "Description": "Content management system allows admin privileges by setting a \"login\" cookie to \"OK.\"", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-0864"}, {"Reference": "CVE-2008-5784", "Description": "e-dating application allows admin privileges by setting the admin cookie to 1.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-5784"}, {"Reference": "CVE-2008-6291", "Description": "Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to \"admin.\"", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-6291"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-706"}, {"@External_Reference_ID": "REF-7", "@Section": "Chapter 13, \"Sensitive Data in Cookies and Fields\" Page 435"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "A new parent might need to be defined for this entry. This entry is specific to cookies, which reflects the significant number of vulnerabilities being reported for cookie-based authentication in CVE during 2008 and 2009. However, other types of inputs - such as parameters or headers - could also be used for similar authentication or authorization. Similar issues (under the Research view) include CWE-247 and CWE-472."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2009-07-16", "Submission_Version": "1.5", "Submission_ReleaseDate": "2009-07-27"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Demonstrative_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Modes_of_Introduction, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Modes_of_Introduction, Relationships, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}]}}
