Typescript Unsanitized Cookie Value
Description
This detector identifies TypeScript code that constructs cookies in an insecure manner, potentially allowing cookie injection attacks or other security vulnerabilities. The vulnerability occurs when user-controlled data is used to construct cookie values without proper sanitization or validation.
Detection Strategy
• Scans TypeScript source code for cookie-related function calls and operations
• Identifies nodes in the code that involve cookie construction or manipulation
• Evaluates each cookie operation using security criteria to determine if it's unsafe
• Reports a vulnerability when cookie values are constructed using potentially untrusted input without proper sanitization
• Focuses on detecting patterns where user data could be injected into cookie values, leading to cookie poisoning or session manipulation attacks
Vulnerable code example
declare var module: any;
function ts_vuln (req, res) {
const value = req.query.value;
const value2 = req.query.value;
res.setHeader("Set-Cookie", value); // Cookie injection: unsanitized user input
res.cookie("connect.sid", value2); // Cookie injection: direct user input to cookie...✅ Secure code example
declare var module: any;
function ts_vuln (req, res) {
const value = req.query.value;
const value2 = req.query.value;
// Safe: Use predefined header name instead of cookie injection
res.setHeader("X-Custom-Data", value);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.