My JavaScript code:
function CookieSetting(name, value) {
var today = new Date();
today.setTime( today.getTime() );
var expires = 28;
expires = expires * 1000 * 60 * 60 * 24;
var expires_date = new Date( today.getTime() + (expires) );
document.cookie = name+"="+escape( value ) +
( ( expires ) ?";
domain="+window.location.hostname+";path=/;expires="+expires_date.toGMTString() : "" )
}
It's working fine, but when I run the Fortify tool, it is showing this error:
The method CookieSetting() includes unvalidated data in an HTTP response header.
This enables attacks such as cache-poisoning cross-site scripting cross-user defacement page hijacking cookie manipulation or open redirect.
Including unvalidated data in an HTTP response header can enable cache-poisoning cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
How can I fix this?
My JavaScript code:
function CookieSetting(name, value) {
var today = new Date();
today.setTime( today.getTime() );
var expires = 28;
expires = expires * 1000 * 60 * 60 * 24;
var expires_date = new Date( today.getTime() + (expires) );
document.cookie = name+"="+escape( value ) +
( ( expires ) ?";
domain="+window.location.hostname+";path=/;expires="+expires_date.toGMTString() : "" )
}
It's working fine, but when I run the Fortify tool, it is showing this error:
The method CookieSetting() includes unvalidated data in an HTTP response header.
This enables attacks such as cache-poisoning cross-site scripting cross-user defacement page hijacking cookie manipulation or open redirect.
Including unvalidated data in an HTTP response header can enable cache-poisoning cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.
How can I fix this?
Share Improve this question edited Jul 14, 2016 at 5:04 Pang 10.1k146 gold badges86 silver badges124 bronze badges asked Aug 26, 2014 at 5:48 tajMahaltajMahal 4186 gold badges18 silver badges41 bronze badges1 Answer
Reset to default 2The problem is that if value es from user input he can attack your http headers.
If he is able to insert CR (carriage return, also given by %0d or \r) into the value, then he can add another headers into your http request (because http headers are separated by CR). Source: Nice web article about those attacks.
Solution A)
I've looked into and existing implementation of javascript setCookie and what they do is:
optionsString = ( ( expires ) ? "; domain="+window.location.hostname+";path=/;expires="+expires_date.toGMTString() : ""
document.cookie = cookieName + '=' + encodeURIComponent( value ) + optionsString;
But if you do this, you would need opposite method for getting the cookie - getCookie() in which you would do decodeURIComponent() before returning the value.
I would try to to sanitize your value by the encodeURIComponent() method.
Solution B)
Sanitize the name parameter
Another thing which you can try is just sanitize your name by the escape method, maybe this is why fortify tool is plaining:
document.cookie = window.escape(name)+"="+window.escape(value) + ...