Clear text transmission of sensitive cookie¶
ID: js/clear-text-cookieKind: problemSecurity severity: 5.0Severity: warningPrecision: highTags: - security - external/cwe/cwe-614 - external/cwe/cwe-311 - external/cwe/cwe-312 - external/cwe/cwe-319Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Cookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user’s behalf.
Recommendation¶
Always transmit sensitive cookies using SSL by setting thesecure attribute on the cookie.
Example¶
The following example stores an authentication token in a cookie that can be transmitted in clear text.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});
To force the cookie to be transmitted using SSL, set thesecure attribute on the cookie.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}; secure; httpOnly`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});
References¶
ExpressJS:Use cookies securely.
Mozilla:Set-Cookie.
Common Weakness Enumeration:CWE-614.
Common Weakness Enumeration:CWE-311.
Common Weakness Enumeration:CWE-312.
Common Weakness Enumeration:CWE-319.