Category Archives: Security Testing

Assessing a Web Site for Insecure Cookies

A cookie is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. They primary purpose is to allow the server to be able to identify the user between visits as well as between requests (clicks).

There are three primary CWE regarding insecure cookie:

  • CWE-1004: Sensitive Cookie Without the “HTTPOnly” Flag / CWE-539: Information Exposure Through Persistent Cookies
  • CWE-315: Cleartext Storage of Sensitive Information in a Cookie
  • CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute

For those of you using the CyberSecOlogy test plan, the security of a cookie can easily be viewed using the Web Developer Plug-in or your ZAP proxy. The ZAP proxy make it easy as insecure cookies show up as alerts when you browse the site, spider the site or do an active scan.

For those who prefer the web developer plug in, simply click on the cookies tab and then again on “View Cookie Information.” This will show you each of the cookies and their attributes:

bad cookie image

In the image above, there are four security mistakes made:

  1. Never, ever ever store credentials in a cookie
    • CWE-1004: Sensitive Cookie Without the ‘”Secure” Flag / CWE-539: Information Exposure Through Persistent Cookies
  2. If you do (but don’t!) make sure you add “Secure.” Secure would have at least encrypted the cookie.
    • CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
  3. To prevent other processes in the browser from be able to access the sensitive data in the cookie, make sure you add “HttpOnly”
    • CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag

For the fourth, open your OWASP ZAP and and find the cookie titled “passwordEncoded” and paste the value in to ZAP’s decode tool and try and identify what the value of the password is. Is you can decode the password write it up as CWE-261: Weak Cryptography for Passwords. ¬†You see that the password is nothing more than a simple MD5 hash.

Image showing a cookie encoded with an MD5 hash