logo

Database

Java Cookie Without Validation

Description

Detects when cookies are created with unvalidated user input in Java Servlet applications. This represents a security risk since malicious users could inject harmful data into cookies that may be used for session management or storing sensitive information.

Weakness:

042 - Insecurely generated cookies

Category: Access Subversion

Detection Strategy

    Identifies Java web applications using javax.servlet.http.Cookie or jakarta.servlet.http.Cookie imports

    Locates Cookie constructor calls in the code

    Reports a vulnerability when a Cookie object is instantiated with data that originates from user input without proper validation

    Specifically targets Cookie creation statements where the cookie value contains user-controlled data

Vulnerable code example

import javax.servlet.http.*;

public class VulnerableCookieServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        String userInput = request.getParameter("cookie");  // Dangerous: Gets raw user input
        Cookie cookie = new Cookie("session", userInput);   // Vulnerable: User input directly used in cookie
        response.addCookie(cookie);
    }...

✅ Secure code example

import javax.servlet.http.*;

public class SecureCookieServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) {
        try {
            String userInput = request.getParameter("cookie");
            validateCookie(userInput); // Validate cookie value before using
            ...