Cookie Poisoning
- Risk:
Informational
- Type:
- Passive
- CWE:
- CWE-565
- Summary
This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.
- Solution
Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.
- Other info
- An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;). This was identified at: https://example.com/transact User-input was found in the following cookie: value=poison; SameSite=Strict The user input was: place=poison
Oracle silently fixes zero-day exploit leaked by ShinyHunters
CISA: High-severity Windows SMB flaw now exploited in attacks
Hard-coded credentials found in Moxa industrial security appliances, routers (CVE-2025-6950)
Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT
New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs
CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
New FileFix attack uses cache smuggling to evade security software
North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts
Over 75,000 WatchGuard security devices vulnerable to critical RCE
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
InformationalInformation Disclosure - JWT in Browser sessionStorage
InformationalSplit Viewstate in Use
HighLDAP Injection
InformationalImage Exposes Location or Privacy Data
InformationalStrict-Transport-Security Header on Plain HTTP Response
InformationalStorable and Cacheable Content
LowInsufficient Site Isolation Against Spectre Vulnerability
Free online web security scanner