C Sharp Insecure Cookie Data Storage
Description
Detects when sensitive or user-provided data is stored directly in cookies without proper encryption or protection in C# web applications. This creates a security risk since cookies can be intercepted, read, or modified by attackers, potentially exposing sensitive user information.
Detection Strategy
• Identifies usage of System.Web namespace in the codebase
• Looks for direct writes to Response.Cookies through the HTTP response object
• Checks if the data being stored in cookies comes from user input or untrusted sources
• Reports a vulnerability when unprotected user data is written to cookies
Vulnerable code example
using System.Web;
public class InsecureCookieHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
// Vulnerable: Directly storing auth token in cookie without encryption/security
ctx.Response.Cookies["authenticationtoken"].Value = ctx.Request.QueryString["AuthenticationToken"];...✅ Secure code example
using System;
using System.Web;
using System.Web.Security;
using System.Text;
public class SecureCookieHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx) ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.