User-provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing cookies directly from tainted data
enables attackers to set the session identifier to a known value, allowing the attacker to share the session with the victim. Successful attacks might
result in unauthorized access to sensitive information, for example if the session identifier is not regenerated when the victim authenticates.
Typically, the solution to prevent this type of attack is to restrict the cookies that can be influenced with an allow-list.
Noncompliant Code Example
using System.Web;
using System.Web.Mvc;
[HttpGet]
public ActionResult index(string val)
{
Response.AddHeader("Set-Cookie", val); // Noncompliant
HttpCookie cookie = new HttpCookie("ASP.NET_SessionId", val); // Noncompliant
Response.AppendCookie(cookie);
return View("");
}
Compliant Solution
using System.Web;
using System.Web.Mvc;
[HttpGet]
public ActionResult index(string val)
{
Response.AddHeader("X-Data", val);
HttpCookie cookie = new HttpCookie("data", val);
Response.AppendCookie(cookie);
return View("");
}
See