Need

Secure generation of cookies with the HttpOnly attribute

Context

• Usage of Java 8 for developing applications with enhanced features and performance
• Usage of javax.servlet-api for building Java web applications with servlets

Description

Non compliant code

        import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;

public void generateCookie(HttpServletResponse response) {
    Cookie cookie = new Cookie("user", "12345");
    response.addCookie(cookie);
}
        
        

The above code is generating a cookie without setting the HttpOnly attribute.

The HttpOnly attribute is a flag that you can include in a Set-Cookie HTTP response header to help mitigate the risk of cross-site scripting (XSS) attacks. When the HttpOnly attribute is included in the HTTP response header, the cookie cannot be accessed through client-side scripts, such as JavaScript.

In the code snippet, a cookie named "user" is created with the value "12345". The cookie is then added to the HTTP response without setting the HttpOnly attribute. This means that the cookie can be accessed via client-side scripts, making it vulnerable to XSS attacks. This vulnerability can potentially allow an attacker to steal sensitive information such as session identifiers.

Here is the line of code that presents the vulnerability:

                Cookie cookie = new Cookie("user", "12345");

            

Steps

• Set the HttpOnly attribute when generating cookies.
• Use a secure flag to ensure that the cookie is only sent over HTTPS.
• Consider using a secure random number generator to generate the cookie value.
• Implement proper input validation and sanitization to prevent any potential injection attacks.
• Regularly update and patch the application and its dependencies to address any security vulnerabilities.

Compliant code

        import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;

public void generateCookie(HttpServletResponse response) {
    Cookie cookie = new Cookie("user", "12345");
    cookie.setHttpOnly(true); // Set HttpOnly attribute
    cookie.setSecure(true); // Set Secure attribute
    response.addCookie(cookie);
}
        
        

The original code was generating a cookie without setting the HttpOnly and Secure attributes. The HttpOnly attribute prevents client-side scripts from accessing the cookie, which can help mitigate cross-site scripting (XSS) attacks. The Secure attribute ensures that the cookie is only sent over HTTPS, protecting it from potential eavesdropping or man-in-the-middle attacks.

The updated code sets both of these attributes when generating the cookie. This makes the cookie more secure and helps protect against common web application vulnerabilities.

Please note that this code still uses a hardcoded value for the cookie. In a real-world application, you should use a secure random number generator to generate the cookie value. This can help prevent session prediction or session fixation attacks.

Additionally, you should implement proper input validation and sanitization throughout your application to prevent potential injection attacks. Regularly updating and patching your application and its dependencies can also help address any security vulnerabilities.

References

• 128. Insecurely generated cookies - HttpOnly