| Details | |
|---|---|
| Alert ID | 220001-2 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 384 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-384 OWASP_2021_A07 OWASP_2025_A07 TOOL_PTK |
Summary
Detects cases where attacker-controlled DOM data is written into cookies (document.cookie or common wrapper functions). Can indicate session fixation, logic control, or preparation for exploit-chains.
Generated by OWASP PTK SAST Module
Solution
• Avoid writing security-sensitive cookies from untrusted client-side data. Prefer server-side cookie setting and validation. • For non-security cookies, validate/allow-list values, and avoid storing secrets client-side. Use HttpOnly for session cookies.Other Info
References
- https://owasp.org/www-community/attacks/Session_fixation
- https://cwe.mitre.org/data/definitions/384.html