CWE-315: Cleartext Storage of Sensitive Information in a Cookie

Description

The product stores sensitive information in cleartext in a cookie.

Extended Description

Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

ThreatScore

Threat Mapped score: 3.0

Industry: Finiancial

Threat priority: P2 - Serious (High)

Observed Examples (CVEs)

CVE: CVE-2002-1800

Admin password in cleartext in a cookie.
CVE: CVE-2001-1537

Default configuration has cleartext usernames/passwords in cookie.
CVE: CVE-2001-1536

Usernames/passwords in cleartext in cookies.
CVE: CVE-2005-2160

Authentication information stored in cleartext in a cookie.

Related Attack Patterns (CAPEC)

Attack TTPs

T1539 — Steal Web Session Cookie (credential-access)
T1005 — Data from Local System (collection)
T1552.004 — Private Keys (credential-access)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Common Consequences

Impact: Read Application Data — Notes:

Potential Mitigations

None listed.

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: The following code excerpt stores a plaintext user account ID in a browser cookie.

Body: Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

response.addCookie( new Cookie("userAccountID", acctID) );

Notes

Terminology: Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).

← Back to CWE list