Authentication / Password Value Set in Cookie

Description

Password value set in cookie is an authentication vulnerability that occurs when a web application stores the user's password as a cookie on the user's device, which can be accessed by malicious actors. The Common Weakness Enumeration (CWE) directory classifies this vulnerability as CWE-315, which is defined as “Cleartext Storage of a Password in a Cookie.” The OWASP Testing Guide provides a checklist of tests to identify this vulnerability.

Risk

The risk of this vulnerability is that a malicious actor can access the user's password by obtaining the cookie stored on the user's device. This can lead to the malicious actor gaining access to the user's account and sensitive data. Additionally, an attacker can use the password to gain access to other accounts if the user has reused their password.

Solution

The best solution to address this vulnerability is to never store passwords in cookies. Instead, use hashed passwords and reset tokens for authentication. Additionally, regularly audit and clear the cookies stored on user devices.