Cleartext storage of sensitive information in a cookie
Learn about the dangers of storing sensitive, unencrypted information in cookies
What is cleartext storage of sensitive information in a cookie?
Cleartext storage of sensitive information in a cookie occurs when unencrypted and non-hashed sensitive information, such as personally identifiable information (PII), is stored in browser cookies. Exploitation may occur when an attacker is able to access these cookies by intercepting HTTP traffic or by accessing the web browser directly.
About this lesson
In this lesson, you will learn about vulnerabilities resulting from the storage of sensitive information in cookies, and how to protect your applications against them. For our example, we'll follow the story of a shady university student harvesting PII from library computers.
As easy as an extension
A simple extension for Firefox called Firesheep was released in 2010. It would capture people’s session cookies with ease and it highlighted that cookie information should be stored securely. However, still today we see some applications poorly designed that store sensitive information in cleartext or plaintext!
Gotham University is ranked the top university in the northern hemisphere. Getting good grades just isn't enough to get accepted here, they need to be exceptional. For this reason, many of the world's future leaders have spent time in these halls.
Among the current students is Sally, an enterprising cybersecurity student with a questionable moral compass. You see, Sally knows the value of personally identifiable information on the dark web. Student's personal details must be stored somewhere on university servers, and they would fetch a pretty penny if she could get her hands on them!
- STEP 1
- STEP 2
- STEP 3
- STEP 4
- STEP 5
Setting the stage
The university has an internal web application to view your details. Sally logs into the application to take a look and to see what she can view...
In the example above, the attacker was able to steal sensitive information by simply viewing cookies. In most cases, cookies are considered to be difficult for an attacker to get hold of, but there are situations where it becomes possible. In those cases, it is in our best interest to ensure that no sensitive information is contained within them.
The vulnerable code in the example above may be as simple as this:
What should we do instead?
There are a few things you can do to mitigate this type of vulnerability. Let's take a look!
Use session tokens
Sensitive information within a cookie is usually a sign of bad architecture. Instead of storing user details in cookies, it is far better to only assign session tokens as cookies. If sensitive details of a user are required, they can be accessed on the server side by associating the session token with a user.
Use cookie security flags
If for whatever reason, your application's cookies end up storing sensitive information, it's best that they are well protected! Use these security flags on your cookies to make them a little bit harder to gain access to for an attacker.
Cookies offer an
Cookies also offer a vaguely-named
secure flag, which ensures that the cookie will never be sent over an unencrypted connection.
Shorten the expiry time
In an ideal world, cookies would expire instantly! Of course, in the real world, this would make browsing authenticated web applications very difficult. The shorter the expiry time is, the less likely it is to be discovered by an attacker and exploited. The longer an expiry time is, the less your users will need to re-authenticate.
We recommend having a think about what is an appropriate amount of time before the cookie expires and implementing a timeout.
The previous vulnerable code should use both security flags, shorten the timeout and store a token instead of user data:
Keep learning about cookies and storing sensitive information
- CWE for Cleartext Storage of Sensitive Information in a Cookie
- A blog post by Snyk, is local storage safe to use?
- Learn more about cryptography and hashing
Now you know more about cookies and why cleartext, sensitive data should not go inside of them! You also know about the risks and mitigation techniques. We hope that you will apply this knowledge to make your applications safer. We'd really appreciate it if you could take a minute to rate how valuable this lesson was for you and provide feedback to help us improve! Also, make sure to check out our lessons on other common vulnerabilities.