Clear text transmission of sensitive cookie¶
ID: js/clear-text-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-614
- external/cwe/cwe-311
- external/cwe/cwe-312
- external/cwe/cwe-319
Query suites:
- javascript-code-scanning.qls
- javascript-security-extended.qls
- javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user’s behalf.
Recommendation¶
Always transmit sensitive cookies using SSL by setting the secure attribute on the cookie.
Example¶
The following example stores an authentication token in a cookie that can be transmitted in clear text.
const http = require('http');
const server = http.createServer((req, res) => {
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}`);
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end('<h2>Hello world</h2>');
});
To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.
const http = require('http');
const server = http.createServer((req, res) => {
res.setHeader("Set-Cookie", `authKey=${makeAuthkey()}; secure; httpOnly`);
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end('<h2>Hello world</h2>');
});
References¶
ExpressJS: Use cookies securely.
OWASP: Set cookie flags appropriately.
Mozilla: Set-Cookie.
Common Weakness Enumeration: CWE-614.
Common Weakness Enumeration: CWE-311.
Common Weakness Enumeration: CWE-312.
Common Weakness Enumeration: CWE-319.