logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecurely generated cookies - Secure - Scala

Need

Secure generation and transmission of cookies

Context

  1. Usage of Scala for building scalable and functional applications
  2. Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Insecure Code Example

import play.api.mvc._

def index = Action { implicit request: Request[AnyContent] =>
  val sessionId = java.util.UUID.randomUUID().toString
  Ok("Hello World").withCookies(Cookie("sessionId", sessionId))
}

In the above Scala code snippet, we are using the Play framework to create a cookie named `sessionId` with a newly generated UUID as its value. The `index` action generates a new session id, then creates a new cookie with the name 'sessionId' and sets its value to the newly generated session id. The `Ok` response is then sent back to the client with the new cookie. However, this code is vulnerable to attacks because it does not set the `Secure` attribute for the `sessionId` cookie. The absence of the `Secure` attribute means that the cookie could be sent over an insecure (non-HTTPS) connection, potentially exposing the session id to attackers through a man-in-the-middle attack or packet sniffing. This is a serious vulnerability because session ids are sensitive information. If an attacker can get hold of a user's session id, they can hijack the user's session and potentially gain unauthorized access to their account.

Steps

  1. Identify the sensitive cookies that need to be secured.
  2. Set the Secure attribute for each sensitive cookie.
  3. Ensure that the application is running over a secure channel (HTTPS) to prevent cookies from being sent through an insecure channel.
  4. Verify that the cookies are being sent with the Secure attribute by inspecting the network traffic.
  5. Test the application to ensure that the cookies are only sent over a secure channel.

Secure Code Example

import play.api.mvc._

def index = Action { implicit request: Request[AnyContent] =>
  val sessionId = java.util.UUID.randomUUID().toString
  Ok("Hello World").withCookies(Cookie("sessionId", sessionId, secure = true))
}

The above code fixes the vulnerability by setting the Secure attribute for the sensitive cookie "sessionId". This is done by adding `secure = true` to the `Cookie` constructor. The `secure = true` attribute ensures that the cookie is only sent over a secure channel (HTTPS). This prevents the cookie from being sent over an insecure channel, which could expose it to potential attackers. After applying this fix, it's important to verify that the cookies are being sent with the Secure attribute. This can be done by inspecting the network traffic of the application. Finally, test the application to ensure that the cookies are only sent over a secure channel. This can be done by trying to access the application over an insecure channel (HTTP) and verifying that the cookies are not sent.

References

  • 130 - Insecurely generated cookies - Secure

    • Last updated

    2023/09/18