CWE-539: Use of Persistent Cookies Containing Sensitive Information
Learn about CWE-539 (Use of Persistent Cookies Containing Sensitive Information), its security impact, exploitation methods, and prevention guidelines.
What is Use of Persistent Cookies Containing Sensitive Information?
• Overview:
- CWE-539 refers to the use of persistent cookies that store sensitive information, which can be a security risk. Persistent cookies are saved on the user's device, making them accessible over multiple sessions, unlike session cookies that are deleted after the session ends.
• Exploitation Methods:
- Attackers can access cookies stored on a user's device if they gain access to the device or through browser vulnerabilities.
- Common attack patterns include cross-site scripting (XSS) attacks, where scripts can be injected to read cookies, or physical access to the device where cookies are stored.
• Security Impact:
- Direct consequences include unauthorized access to sensitive data, such as session identifiers or login credentials.
- Potential cascading effects include session hijacking, unauthorized transactions, or identity theft.
- Business impact could involve data breaches, loss of customer trust, legal liabilities, and financial losses.
• Prevention Guidelines:
- Avoid storing sensitive information in cookies, especially persistent ones. Use session cookies wherever possible.
- Implement secure cookie attributes like HttpOnly and Secure to protect cookie data from unauthorized access.
- Regularly clear or expire persistent cookies and encourage users to log out after usage.
- Use recommended tools and frameworks that provide secure cookie management, such as content security policies (CSP) and secure session management libraries.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified