danog/psalm
1
0
Fork 0
mirror of https://github.com/danog/psalm.git synced 2024-11-27 12:55:26 +01:00
Code Issues Projects Releases Wiki Activity
cc2933de35
psalm/docs/running_psalm/issues/TaintedCookie.md
Lukas Reschke 78f4a0691c
Add dedicated types for 'file', 'header' and 'cookie' (#4630) 
* [WIP] Add dedicated sinks for 'file', 'header' and 'cookie'

* Add documentation

* Add mapping for taint flows

* Add tests

* Fix test
2020-11-19 17:47:29 -05:00

1.2 KiB
Raw Blame History

TaintedCookie

Potential cookie injection. This rule is emitted when user-controlled input can be passed into a cookie.

Risk

The risk of setting arbitrary cookies depends on further application configuration.

Examples of potential issues:

  • Session Fixation: If the authentication cookie doesn't change after a successful login an attacker could fixate the session cookie. If a victim logs in with a fixated cookie, the attacker can now take over the session of the user.
  • Cross-Site-Scripting (XSS): Some application code could read cookies and print it out unsanitized to the user.

Example

<?php

setcookie('authtoken', $_GET['value'], time() + (86400 * 30), '/');

Mitigations

If this is required functionality, limit the cookie setting to values and not the name. (e.g. authtoken in the example)

Make sure to change session tokens after authentication attempts.

Further resources