Details
Alert ID 10029
Alert Type Passive
Status release
Risk Informational
CWE 565
WASC 20
Technologies Targeted All
Tags CWE-565
OWASP_2017_A01
OWASP_2021_A03
POLICY_DEV_STD
POLICY_PENTEST
POLICY_QA_STD
More Info Scan Rule Help

Summary

This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.

Solution

Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.

Other Info

An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;). This was identified at: https://example.com/transact User-input was found in the following cookie: value=poison; SameSite=Strict The user input was: place=poison

References

Code

org/zaproxy/zap/extension/pscanrules/UserControlledCookieScanRule.java