Python Set Cookie From Untrusted Input
Description
Detects session fixation vulnerabilities in Python web applications where session cookies or identifiers can be set from untrusted user input. This allows attackers to force a user's session identifier, potentially leading to session hijacking and unauthorized access to user accounts.
Detection Strategy
• Identifies when session cookies or session-related variables are set using member access operations (e.g., response.set_cookie, session.id)
• Checks if the cookie value or session identifier comes from untrusted sources like user input or request parameters
• Reports a vulnerability when session identifiers or cookies are directly assigned from unvalidated external input
Vulnerable code example
from django.http import HttpRequest, HttpResponse
def vulnerable_cookies(request: HttpRequest) -> HttpResponse:
user_input = request.GET.get("data")
response = HttpResponse("Hello")
response["Set-Cookie"] = user_input # Vulnerable: Direct user input in cookie header
response.set_cookie("userdata", user_input) # Vulnerable: Unsanitized user input as cookie value
return response✅ Secure code example
from django.http import HttpRequest, HttpResponse
from django.utils.html import escape
import re
def safe_cookies(request: HttpRequest) -> HttpResponse:
user_input = request.GET.get("data")
# Sanitize and validate cookie value - only allow alphanumeric and basic punctuation...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.