CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Learn about CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute), its security impact, exploitation methods, and prevention guidelines.
What is Sensitive Cookie in HTTPS Session Without 'Secure' Attribute?
• Overview: Sensitive cookies in an HTTPS session are not marked with the 'Secure' attribute, allowing them to be transmitted in plaintext if an HTTP connection occurs.
• Exploitation Methods:
- Attackers can intercept cookies when they are sent over an insecure HTTP connection.
- Common attacks include man-in-the-middle (MITM) attacks where attackers capture traffic on unsecured networks.
• Security Impact:
- Direct consequences include exposure of sensitive cookie data like session tokens.
- Potential cascading effects include session hijacking and unauthorized access.
- Business impact involves data breaches, loss of user trust, and potential legal ramifications.
• Prevention Guidelines:
- Ensure cookies intended for secure contexts are marked with the 'Secure' attribute in your code.
- Follow security best practices by using HTTPS only for sensitive data transmission.
- Use recommended tools and frameworks that enforce secure cookie attributes by default.
Corgea can automatically detect and fix Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not specified
Affected Technologies: Web Based