CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Description

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2004-0462

A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
CVE: CVE-2008-3663

A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE: CVE-2008-3662

A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE: CVE-2008-0128

A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Related Attack Patterns (CAPEC)

CAPEC-102

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Read Application Data — Notes:

Potential Mitigations

Implementation: Always set the secure attribute when the cookie should sent via HTTPS only. (N/A)

Applicable Platforms

None listed.

Demonstrative Examples

Intro: The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).

Cookie c = new Cookie(ACCOUNT_ID, acctID); response.addCookie(c);

Notes

No notes available.

← Back to CWE list