1
0
mirror of https://github.com/danog/psalm.git synced 2024-12-11 08:49:52 +01:00
psalm/docs/running_psalm/issues/TaintedCookie.md
Lukas Reschke 78f4a0691c
Add dedicated types for 'file', 'header' and 'cookie' (#4630)
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
2020-11-19 17:47:29 -05:00

1.2 KiB

TaintedCookie

Potential cookie injection. This rule is emitted when user-controlled input can be passed into a cookie.

Risk

The risk of setting arbitrary cookies depends on further application configuration.

Examples of potential issues:

  • Session Fixation: If the authentication cookie doesn't change after a successful login an attacker could fixate the session cookie. If a victim logs in with a fixated cookie, the attacker can now take over the session of the user.
  • Cross-Site-Scripting (XSS): Some application code could read cookies and print it out unsanitized to the user.

Example

<?php

setcookie('authtoken', $_GET['value'], time() + (86400 * 30), '/');

Mitigations

If this is required functionality, limit the cookie setting to values and not the name. (e.g. authtoken in the example)

Make sure to change session tokens after authentication attempts.

Further resources