Why is this an issue?
Session Cookie Injection occurs when a web application assigns session cookies to users using untrusted data.
Session cookies are used by web applications to identify users. Thus, controlling these enable control over the identity of the users within the
application.
The injection might occur via a GET parameter, and the payload, for example, https://example.com?cookie=injectedcookie
, delivered using phishing techniques.
What is the potential impact?
A well-intentioned user opens a malicious link that injects a session cookie in their web browser. This forces the user into unknowingly browsing a
session that isn’t theirs.
Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the vulnerability.
Sensitive data disclosure
A victim introduces sensitive data within the attacker’s application session that can later be retrieved by them. This can lead to a variety of
implications depending on what type of data is disclosed. Strictly confidential user data or organizational data leakage have different impacts.
Vulnerability chaining
An attacker not only manipulates a user into browsing an application using a session cookie of their control but also successfully detects and
exploits a self-XSS on the target application.
The victim browses the vulnerable page using the attacker’s session and is affected by the XSS,
which can then be used for a wide range of attacks including credential stealing using mirrored login pages.
How to fix it in Java SE
Code examples
The following code is vulnerable to Session Cookie Injection as it assigns a session cookie using untrusted data.
Noncompliant code example
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
Optional<Cookie> cookieOpt = Arrays.stream(request.getCookies())
.filter(c -> c.getName().equals("jsessionid"))
.findFirst();
if (!cookieOpt.isPresent()) {
String cookie = request.getParameter("cookie");
Cookie cookieObj = new Cookie("jsessionid", cookie);
response.addCookie(cookieObj);
}
response.sendRedirect("/welcome.jsp");
}
Compliant solution
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
Optional<Cookie> cookieOpt = Arrays.stream(request.getCookies())
.filter(c -> c.getName().equals("jsessionid"))
.findFirst();
if (!cookieOpt.isPresent()) {
response.sendRedirect("/getCookie.jsp");
} else {
response.sendRedirect("/welcome.jsp");
}
}
How does this work?
Untrusted data, such as GET or POST request content, should always be considered tainted. Therefore, an application should not blindly assign the
value of a session cookie to untrusted data.
Session cookies should be generated using the built-in APIs of secure libraries that include session management instead of developing homemade
tools.
Often, these existing solutions benefit from quality maintenance in terms of features, security, or hardening, and it is usually better to
use these solutions than to develop your own.
Resources
Standards