Insecurely generated cookies - Secure - Go

Insecurely generated cookies - Secure - Go

Need

Secure generation and transmission of sensitive cookies

Context

  • Usage of Go 1.16 for building high-performance and scalable applications
  • Usage of gin-gonic/gin for building web applications in Go

Description

Non compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/cookie", func(c *gin.Context) {
		c.SetCookie("sensitiveCookie", "sensitiveData", 3600, "/", "localhost", false, true)
	})
	r.Run()
}

The vulnerable code above is a simple Go web server using the Gin framework. The server has a single route, /cookie, that sets a cookie named sensitiveCookie with the value sensitiveData.

The SetCookie method has several parameters: 1. name: the name of the cookie 2. value: the value of the cookie 3. maxAge: the duration (in seconds) the cookie should be kept 4. path: the path the cookie is valid for 5. domain: the domain the cookie is valid for 6. secure: whether the cookie should only be sent over HTTPS 7. httpOnly: whether the cookie should only be accessible by HTTP/HTTPS, not by client-side script

The vulnerability lies in the secure parameter of the SetCookie method. In the provided code, it's set to false, which means that the cookie can be transmitted over an unencrypted HTTP connection. If the cookie contains sensitive information, it can be intercepted and read by others. This is a violation of the Secure attribute in the Cookie specification. The Secure attribute should be set to true for sensitive cookies to ensure they are only sent over HTTPS.

Steps

  • Set the Secure attribute for sensitive cookies.
  • Ensure that the application is running over a secure channel (HTTPS) to prevent the cookies from being sent through an insecure channel.
  • Use a secure flag to ensure that the cookie is only sent over HTTPS.
  • Consider using the SameSite attribute to prevent cross-site request forgery (CSRF) attacks.
  • Regularly review and update the application's dependencies, including the Gin framework, to ensure that any security patches or updates are applied.

Compliant code

        package main

import (
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/cookie", func(c *gin.Context) {
		c.SetCookie("sensitiveCookie", "sensitiveData", 3600, "/", "localhost", true, true)
	})
	r.Run()
}

The original code was setting a cookie without the Secure attribute, which could potentially allow the cookie to be sent over an insecure channel. This is a security vulnerability as it exposes sensitive data to potential interception and misuse.

The fixed code sets the Secure attribute for the sensitive cookie. This ensures that the cookie will only be sent over a secure channel (HTTPS). The line of code that was changed is:

                c.SetCookie("sensitiveCookie", "sensitiveData", 3600, "/", "localhost", true, true)


In this line, the second to last parameter is set to true, which sets the Secure attribute for the cookie. This means that the cookie will only be sent over a secure channel (HTTPS), preventing it from being sent over an insecure channel.

Additionally, the last parameter is also set to true, which sets the HttpOnly attribute for the cookie. This means that the cookie cannot be accessed through client-side scripts, providing additional protection against cross-site scripting (XSS) attacks.

It's also recommended to consider using the SameSite attribute to prevent cross-site request forgery (CSRF) attacks. Regularly review and update the application's dependencies, including the Gin framework, to ensure that any security patches or updates are applied.

References