DerScanner
Home / Vulnerability Database / Java : Cookie: reliance without validation
Java

Java : Cookie: reliance without validation

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication FailuresA8-Software and Data Integrity Failures
OWASP ASVS
Access ControlAccess ControlAccess ControlAccess Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(2)(iii)
CWE
CWE-565CWE-602CWE-642CWE-784CWE-807CWE-1028
CWE/SANS Top 25 2011
CWE-807

Overview

The program’s control flow relies on the values obtained from the cookie. There is no guarantee that the cookies belong to the current user or that they have not been modified.

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

References

  1. OWASP Top 10 2017 A2-Broken Authentication
  2. OWASP Top 10 2013-A5-Security Misconfiguration
  3. CWE-784
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  5. CWE-565
LOW

DerScanner Severity Score

Do you want to fix Java : Cookie: reliance without validation in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage