logo

Database

Insecurely generated cookies - Secure

Need

Ensure secure generation and transmission of cookies

Context

• Usage of Python 3 for writing and executing Python code

• Usage of Django for building web applications

Description

1. Non compliant code

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt

@csrf_exempt
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    response.set_cookie('sensitive_cookie', 'sensitive data')
    return response

The above code is a simple Django view function that sets a cookie named 'sensitive_cookie' with the value 'sensitive data'. The vulnerability lies in the fact that this cookie is being set without the `secure` attribute. The `secure` attribute is a flag that can be included when the server sends a new cookie to the user within an HTTP response. If the `secure` attribute is set, then the cookie will only be sent on secure channels i.e., encrypted connections such as HTTPS. In the above code, the `secure` attribute is not set when the 'sensitive_cookie' is being created. This means that the cookie can be transmitted over unencrypted connections where it can potentially be intercepted and read by malicious third parties. This constitutes a security risk, especially if the cookie contains sensitive information. In the context of Django, the `secure` attribute can be set by passing `secure=True` to the `set_cookie` method. The absence of this parameter in the code above is what makes it vulnerable to attacks.

2. Steps

• Import the settings module from Django.

• Check if the Django settings have the 'SESSION_COOKIE_SECURE' attribute set to True. If not, set it to True. This attribute ensures that the cookie is only sent over HTTPS.

• In the 'set_cookie' method, add a 'secure' parameter and set it to True when setting the cookie. This ensures that the cookie is only sent over secure connections.

3. Secure code example

from django.http import HttpResponse
from django.views.decorators.csrf import csrf_exempt
from django.conf import settings

@csrf_exempt
def set_cookie(request):
    response = HttpResponse("Setting your cookie")
    return response...

The updated code now includes the import of the settings module from Django. This module is used to access the Django settings, which include the 'SESSION_COOKIE_SECURE' attribute. This attribute is used to determine whether cookies should be sent over secure connections (HTTPS) or not. In the 'set_cookie' method, the 'secure' parameter has been added to the 'set_cookie' function call. This parameter is set to the value of 'SESSION_COOKIE_SECURE' from the Django settings. If 'SESSION_COOKIE_SECURE' is set to True, the 'secure' parameter will also be True, meaning the cookie will only be sent over secure connections. If 'SESSION_COOKIE_SECURE' is not set or is set to False, the 'secure' parameter will be False, and the cookie may be sent over insecure connections. This change ensures that sensitive cookies are only sent over secure connections, reducing the risk of them being intercepted and read by malicious parties.