CWE-539: Use of Persistent Cookies Containing Sensitive Information
Learn about CWE-539 (Use of Persistent Cookies Containing Sensitive Information), its security impact, exploitation methods, and prevention guidelines.
What is Use of Persistent Cookies Containing Sensitive Information?
• Overview:
- CWE-539 refers to the use of persistent cookies that store sensitive information, which can be a security risk. Persistent cookies are saved on the user's device, making them accessible over multiple sessions, unlike session cookies that are deleted after the session ends.
• Exploitation Methods:
- Attackers can access cookies stored on a user's device if they gain access to the device or through browser vulnerabilities.
- Common attack patterns include cross-site scripting (XSS) attacks, where scripts can be injected to read cookies, or physical access to the device where cookies are stored.
• Security Impact:
- Direct consequences include unauthorized access to sensitive data, such as session identifiers or login credentials.
- Potential cascading effects include session hijacking, unauthorized transactions, or identity theft.
- Business impact could involve data breaches, loss of customer trust, legal liabilities, and financial losses.
• Prevention Guidelines:
- Avoid storing sensitive information in cookies, especially persistent ones. Use session cookies wherever possible.
- Implement secure cookie attributes like HttpOnly and Secure to protect cookie data from unauthorized access.
- Regularly clear or expire persistent cookies and encourage users to log out after usage.
- Use recommended tools and frameworks that provide secure cookie management, such as content security policies (CSP) and secure session management libraries.
Corgea can automatically detect and fix Use of Persistent Cookies Containing Sensitive Information in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Not specified