CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

 
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Weakness ID: 614 (Weakness Variant)Status: Draft
+ Description

Description Summary

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
+ Time of Introduction
  • Implementation
+ Common Consequences
ScopeEffect

Technical Impact: Read application data

+ Demonstrative Examples

Example 1

The snippet of code below, taken from a servlet doPost() method, sets an accountID cookie (sensitive) without calling setSecure(true).

(Bad Code)
Example Language: Java 
Cookie c = new Cookie(ACCOUNT_ID, acctID);
response.addCookie(c);
+ Observed Examples
ReferenceDescription
A product does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the product.
A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
A product does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
A product does not set the secure flag for a cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
+ Potential Mitigations

Phase: Implementation

Always set the secure attribute when the cookie should sent via HTTPS only.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base311Missing Encryption of Sensitive Data
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory895SFP Cluster: Information Leak
Software Fault Pattern (SFP) Clusters (primary)888
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
Externally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01CigitalExternal
added/updated demonstrative examples
2008-07-01CigitalExternal
updated Potential_Mitigations, Time_of_Introduction
2008-09-08MITREInternal
updated Relationships, Taxonomy_Mappings
2008-10-14MITREInternal
updated Observed_Examples
2009-03-10MITREInternal
updated Name
2009-05-27MITREInternal
updated Related_Attack_Patterns
2011-06-01MITREInternal
updated Common_Consequences
2012-05-11MITREInternal
updated Relationships
2012-10-30MITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Unset Secure Attribute for Sensitive Cookies in HTTPS Session
Page Last Updated: June 23, 2014