Cookie Poisoning
Reference
Remediation
- Prevent user control of cookies: Ensure that user input cannot directly control cookie names or values.
- Input validation: Implement strict validation for any parameters that might influence cookie handling.
- Filter dangerous characters: Remove or encode semicolons and other cookie delimiter characters from user input.
- Use secure cookie handling: Implement proper cookie management practices that don't rely on user input.
About
Cookie Poisoning occurs when user-supplied input in query string parameters or POST data can control cookie parameters. This vulnerability allows attackers to manipulate cookie values in various ways, potentially bypassing security controls or injecting malicious data into the application's cookie handling mechanisms.
Risks
Medium Cookie poisoning attacks can lead to session manipulation, authentication bypass, privilege escalation, and injection of malicious data that could affect application logic or other users.