Forms Authentication - Weak Cookie Protection

What does this mean ?

The application uses a security mechanism that is dependent on the existence or values of a cookie, but it does not adequately guarantee that the cookie is valid for the associated user. Web cookies are frequently used as a significant attack vector by malicious users, and the application should constantly take precautions to secure cookies.

What can happen ?

Cookies can be readily modified by attackers, either within the browser or by implementing client-side code outside of the browser. By changing the cookie to contain an anticipated value, attackers can circumvent protective methods such as authorisation and authentication.

Recommendation

• Avoid utilizing cookie data to make a security choice.
• If you're going to use cookie data for a security decision, make sure it's been thoroughly validated (i.e. server side validation).
• Integrity tests should be included to identify tampering.
• Protect crucial cookies from replay attacks, because cross-site scripting or other methods might allow attackers to steal a heavily encrypted cookie that also passes integrity tests.

Sample Code

JAVA

Vulnerable :

Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
  Cookie c = cookies[i];
  if (c.getName().equals("role")) {
    userRole = c.getValue();
  }
}

PHP

Vulnerable :

$auth = $_COOKIES['authenticated'];
if (! $auth) {
  if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {
    // save the cookie to send out in future responses
    setcookie("authenticated", "1", time()+60*60*2);
  }
  else {
    ShowLoginScreen();
    die("\n");
  }
}
DisplayMedicalHistory($_POST['patient_ID']);

References

• https://cwe.mitre.org/data/definitions/784.html
• https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure#