mirror of
https://github.com/danog/psalm.git
synced 2025-01-10 15:09:04 +01:00
78f4a0691c
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie' * Add documentation * Add mapping for taint flows * Add tests * Fix test
1.2 KiB
1.2 KiB
TaintedCookie
Potential cookie injection. This rule is emitted when user-controlled input can be passed into a cookie.
Risk
The risk of setting arbitrary cookies depends on further application configuration.
Examples of potential issues:
- Session Fixation: If the authentication cookie doesn't change after a successful login an attacker could fixate the session cookie. If a victim logs in with a fixated cookie, the attacker can now take over the session of the user.
- Cross-Site-Scripting (XSS): Some application code could read cookies and print it out unsanitized to the user.
Example
<?php
setcookie('authtoken', $_GET['value'], time() + (86400 * 30), '/');
Mitigations
If this is required functionality, limit the cookie setting to values and not the name. (e.g. authtoken
in the example)
Make sure to change session tokens after authentication attempts.