logo

Cookie Poisoning

  • Risk:
  • Informational

  • Type:
  • Passive
Summary

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Solution

Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.

Other info
An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;). This was identified at: https://example.com/transact User-input was found in the following cookie: value=poison; SameSite=Strict The user input was: place=poison
References

https://en.wikipedia.org/wiki/HTTP_cookie

https://cwe.mitre.org/data/definitions/565.html

Free security scan for your website