1. Home
  2. CWE Database
  3. CWE-315
Variant · Low-Medium

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

The product stores sensitive information in cleartext in a cookie.

CWE-315 · Variant Level ·4 CVEs

Description

The product stores sensitive information in cleartext in a cookie.

Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following code excerpt stores a plaintext user account ID in a browser cookie.
Bad
response.addCookie( new Cookie("userAccountID", acctID) );
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2002-1800Admin password in cleartext in a cookie.
CVE-2001-1537Default configuration has cleartext usernames/passwords in cookie.
CVE-2001-1536Usernames/passwords in cleartext in cookies.
CVE-2005-2160Authentication information stored in cleartext in a cookie.

CWE-312: Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphe...

Taxonomy Mappings

  • PLOVER: — Plaintext Storage in Cookie
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-315?

CWE-315 (Cleartext Storage of Sensitive Information in a Cookie) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores sensitive information in cleartext in a cookie.

How can CWE-315 be exploited?

Attackers can exploit CWE-315 (Cleartext Storage of Sensitive Information in a Cookie) to read application data. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-315?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-315?

CWE-315 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.