ZAP – Cookie Poisoning

Details
Alert ID	10029
Alert Type	Passive
Status	release
Risk	Informational
CWE	565
WASC	20
Technologies Targeted	All
Tags	CWE-565 OWASP_2017_A01 OWASP_2021_A03
More Info	Scan Rule Help

Summary

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Solution

Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.

Other Info

An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;). This was identified at: https://example.com/transact User-input was found in the following cookie: value=poison; SameSite=Strict The user input was: place=poison

References

Code

org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java