CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision

CVE-2020-8184

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code excerpt reads a value from a browser cookie to determine the role of the user.

Vulnerable example

java

Cookie[] cookies = request.getCookies();

The following code could be for a medical records application. It performs authentication by checking if a cookie has been set.

Vulnerable example

php

$auth = $_COOKIES['authenticated'];

In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.

Vulnerable example

java

Cookie[] cookies = request.getCookies();

CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Illustrative examples

Frequently asked questions

What is CWE-784?

What CVEs are caused by CWE-784?

How do you prevent CWE-784?

What are the consequences of CWE-784?

Is CWE-784 actively exploited?

References

Stay ahead of CWE-784

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Illustrative examples

Related weaknesses

Parent

Frequently asked questions

What is CWE-784?

What CVEs are caused by CWE-784?

How do you prevent CWE-784?

What are the consequences of CWE-784?

Is CWE-784 actively exploited?

References

Stay ahead of CWE-784