CWE
Home > CWE List > CWE-315 Individual Dictionary Definition (Draft 9)   View the CWE List

CWE-315 Individual Dictionary Definition (Draft 9)

Plaintext Storage in a Cookie
Weakness ID
Status: Draft

315 (Weakness Variant)

Description

Summary

Storing sensitive data in plaintext in a cookie makes the data more easily accessible than if encrypted. This significantly lowers the difficulty of exploitation by attackers.

Potential Mitigations

Sensitive information should not be stored in plaintext in a cookie. Even if heavy fortifications are in place, sensitive data should be encrypted to prevent the risk of losing confidentiality.

Observed Examples
ReferenceDescription
CVE-2002-1800Admin password in plaintext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.
Relationships
NatureTypeIDName
ChildOfWeakness BaseWeakness BaseWeakness Base312Plaintext Storage of Sensitive Information
Source Taxonomies

PLOVER - Plaintext Storage in Cookie

Applicable Platforms

All

Related Attack Patterns
CAPEC-IDAttack Pattern Name
37Lifting Data Embedded in Client Distributions
74Manipulating User State
39Manipulating Opaque Client-based Data Tokens
31Accessing/Intercepting/Modifying HTTP Cookies
Page Last Updated: April 22, 2008