logo

Database

Java Data Leak Through Persistent Cookie

Description

This detector identifies Java applications that store sensitive data in persistent cookies by calling setMaxAge() on Cookie objects containing sensitive information. Persistent cookies remain on the user's device beyond the browser session, creating a data leakage risk if they contain sensitive information that could be accessed by malicious actors.

Weakness:

042 - Insecurely generated cookies

Category: Access Subversion

Detection Strategy

    The code must import Cookie classes from either javax.servlet.http.Cookie, javax.servlet.http.*, jakarta.servlet.http.Cookie, or jakarta.servlet.http.* packages

    A setMaxAge() method call is detected on a Cookie object

    The cookie being configured with setMaxAge() contains sensitive data (determined by analyzing the cookie's content or context)

Vulnerable code example

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

protected void vulnerableSessionCookie(HttpServletRequest request, HttpServletResponse response) {
    Cookie cookie = new Cookie("authToken", request.getParameter("token")); // User input in sensitive cookie
    cookie.setMaxAge(3600); // Persistent storage makes it vulnerable
    response.addCookie(cookie);...

✅ Secure code example

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

protected void secureSessionCookie(HttpServletRequest request, HttpServletResponse response) {
    String token = request.getParameter("token");
    validateToken(token); // Validate sensitive input before use
    Cookie cookie = new Cookie("authToken", token);...