logo

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Draft Variant
Structure: Simple
Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Common Consequences 1
Scope: Confidentiality

Impact: Read Application Data

Omitting the secure flag makes it possible for the user agent to send the cookies in plaintext over an HTTP session.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Always set the secure attribute when the cookie should be sent via HTTPS only.
Demonstrative Examples 1
The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).

Code Example:

Bad
Java
java
Observed Examples 4
CVE-2004-0462A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
CVE-2008-3663A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE-2008-3662A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE-2008-0128A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Applicable Platforms
Technologies:
Web Based : Undetermined
Modes of Introduction
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Cleartext Transmission of Sensitive Information (CWE-319)