CWE-784 在安全决策中依赖未经验证和完整性检查的Cookie

Reliance on Cookies without Validation and Integrity Checking in a Security Decision

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: High

基本描述

The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.

扩展描述

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 807 cwe_View_ID: 1000

  • cwe_Nature: ChildOf cwe_CWE_ID: 565 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 565 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Often'}

常见的影响

范围 影响 注释
Access Control ['Bypass Protection Mechanism', 'Gain Privileges or Assume Identity'] It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to claim a high level of authorization, or to claim that successful authentication has occurred.

可能的缓解方案

Architecture and Design

策略:

Avoid using cookie data for a security-related decision.

Implementation

策略:

Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.

Architecture and Design

策略:

Add integrity checks to detect tampering.

Architecture and Design

策略:

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

示例代码

The following code excerpt reads a value from a browser cookie to determine the role of the user.

bad Java

Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("role")) {
userRole = c.getValue();
}
}

The following code could be for a medical records application. It performs authentication by checking if a cookie has been set.

bad PHP

$auth = $_COOKIES['authenticated'];
if (! $auth) {
if (AuthenticateUser($_POST['user'], $_POST['password']) == "success") {

// save the cookie to send out in future responses
setcookie("authenticated", "1", time()+60602);
}
else {
ShowLoginScreen();
die("\n");
}
}
DisplayMedicalHistory($_POST['patient_ID']);

The programmer expects that the AuthenticateUser() check will always be applied, and the "authenticated" cookie will only be set when authentication succeeds. The programmer even diligently specifies a 2-hour expiration for the cookie.

However, the attacker can set the "authenticated" cookie to a non-zero value such as 1. As a result, the $auth variable is 1, and the AuthenticateUser() check is not even performed. The attacker has bypassed the authentication.

In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.

bad Java

Cookie[] cookies = request.getCookies();
for (int i =0; i< cookies.length; i++) {
Cookie c = cookies[i];
if (c.getName().equals("authenticated") && Boolean.TRUE.equals(c.getValue())) {
authenticated = true;
}
}

分析过的案例

标识 说明 链接
CVE-2009-1549 Attacker can bypass authentication by setting a cookie to a specific value. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1549
CVE-2009-1619 Attacker can bypass authentication and gain admin privileges by setting an "admin" cookie to 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1619
CVE-2009-0864 Content management system allows admin privileges by setting a "login" cookie to "OK." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0864
CVE-2008-5784 e-dating application allows admin privileges by setting the admin cookie to 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5784
CVE-2008-6291 Web-based email list manager allows attackers to gain admin privileges by setting a login cookie to "admin." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6291

Notes

引用