DerScanner
Home / Vulnerability Database / PHP : Cookie: reliance without validation
PHP

PHP : Cookie: reliance without validation

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication FailuresA8-Software and Data Integrity Failures
OWASP ASVS
Access ControlAccess ControlAccess ControlAccess Control
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (a)(2)(iii)
CWE
CWE-565CWE-602CWE-642CWE-784CWE-807CWE-1028
CWE/SANS Top 25 2011
CWE-807

Overview

The application uses a protection mechanism that relies on the existence or values of a cookie. In this case, there is no guarantee that the cookies belong to the current user or that they have not been modified.

Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Attackers can bypass protection mechanisms such as authorization and authentication by modifying the cookie to contain an expected value.

References

  1. OWASP Top 10 2017 A2-Broken Authentication
  2. OWASP Top 10 2013-A5-Security Misconfiguration
  3. CWE-784
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  5. CWE-565
LOW

DerScanner Severity Score

Do you want to fix PHP : Cookie: reliance without validation in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt