CXX.SV.INSECURE_COOKIE

Klocwork reports a CXX.SV.INSECURE_COOKIE defect when an application uses cookies over a potentially unsecured network communication.

Vulnerability and risk

Cookies sent by using unsecured network communications can disclose important information such as session IDs. These unsecured communications are vulnerable to man-in-the-middle attacks, session hijacking, and the insertion of false information into a session.

Mitigation and prevention

A common mitigation strategy is to ensure that sessions are protected by using a transport encryption protocol such as SSL or TLS. These protocols ensure that authentication of the entities happens on the protocol level and that communications are encrypted for authenticated entities.

Always set the Secure flag when creating a cookie. Review the framework used to generate cookies to understand how to implement this functionality.

Vulnerable code example

1
2
3
4
5
void create_cookie(QNetworkCookieJar &cookieJar)
{
    QNetworkCookie cookie;
    cookieJar.insertCookie(cookie);   //CXX.SV.INSECURE_COOKIE
}

Klocwork reports a CXX.SV.INSECURE_COOKIE defect at 4, indicating the use of a cookie that could be used over a potentially unsecured network communication.

Fixed code example

1
2
3
4
5
6
void create_cookie(QNetworkCookieJar &cookieJar)
{
    QNetworkCookie cookie;
    cookie.setSecure(true);
    cookieJar.insertCookie(cookie);
}

Klockwork no longer reports a CXX.SV.INSECURE_COOKIE defect because the Secure flag on the cookie has been set by using a call to setSecure(true).

External guidance

• CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
• OWASP A5:2021 Security Misconfiguration
• STIG-ID:V-222577 (APSC-DV-002230): The application must not expose session IDs

Security training

Application security training materials provided by Secure Code Warrior.

• Disabled Security Features Training Video - Test your skills with a training example