Common Weakness Enumeration

CWE-565

Allowed

Reliance on Cookies without Validation and Integrity Checking

Abstraction: Base · Status: Incomplete

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

95 vulnerabilities reference this CWE, most recent first.

GHSA-9G7F-GMJ5-MXVQ

Vulnerability from github – Published: 2022-05-17 00:42 – Updated: 2024-02-08 03:32
VLAI
Details

V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-5784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-12-31T11:30:00Z",
    "severity": "HIGH"
  },
  "details": "V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.",
  "id": "GHSA-9g7f-gmj5-mxvq",
  "modified": "2024-02-08T03:32:44Z",
  "published": "2022-05-17T00:42:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5784"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/46479"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/7063"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/32603"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/32216"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/3071"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8F6-FGC7-QF74

Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED **

Session management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T20:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\nSession management within the web application is incorrect and allows attackers to steal session cookies to perform a multitude of actions that the web app allows on the device.\n\n\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-c8f6-fgc7-qf74",
  "modified": "2024-03-21T03:35:46Z",
  "published": "2023-09-18T21:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41084"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C9C3-4C2F-4W5R

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-07-13 00:01
VLAI
Details

DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-02T13:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.",
  "id": "GHSA-c9c3-4c2f-4w5r",
  "modified": "2022-07-13T00:01:15Z",
  "published": "2022-05-24T17:46:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29012"
    },
    {
      "type": "WEB",
      "url": "https://github.com/1d8/publications/tree/main/cve-2021-29012"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/radiusmanager"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CG3Q-59W7-RVC2

Vulnerability from github – Published: 2021-09-29 17:12 – Updated: 2021-09-28 20:32
VLAI
Summary
Reliance on Cookies without Validation and Integrity Checking in getgrav/grav
Details

grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking. A cookie with an overly broad path can be accessed through other applications on the same domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3818"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T20:32:37Z",
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "grav is vulnerable to Reliance on Cookies without Validation and Integrity Checking. A cookie with an overly broad path can be accessed through other applications on the same domain. Since cookies often carry sensitive information such as session identifiers, sharing cookies across applications can lead a vulnerability in one application to cause a compromise in another.",
  "id": "GHSA-cg3q-59w7-rvc2",
  "modified": "2021-09-28T20:32:37Z",
  "published": "2021-09-29T17:12:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/c51fb1779b83f620c0b6f3548d4a96322b55df07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c2bc65af-7b93-4020-886e-8cdaeb0a58ea"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reliance on Cookies without Validation and Integrity Checking in getgrav/grav"
}

GHSA-CH9M-4JXR-G98Q

Vulnerability from github – Published: 2022-09-13 00:00 – Updated: 2022-09-16 00:00
VLAI
Details

UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-12T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "UCMS v1.6.0 contains an authentication bypass vulnerability which is exploited via cookie poisoning.",
  "id": "GHSA-ch9m-4jxr-g98q",
  "modified": "2022-09-16T00:00:39Z",
  "published": "2022-09-13T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38297"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tobysunyaya/UCMS_vulunerablities/blob/main/UCMS%20v1.6%20cookies%20poisoning%20attack%20vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPCP-57XW-48RV

Vulnerability from github – Published: 2026-06-17 21:34 – Updated: 2026-06-17 21:34
VLAI
Details

Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T19:18:11Z",
    "severity": "HIGH"
  },
  "details": "Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the get_profile_cookie() function that accepts unauthenticated profile names from the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie value to bypass profile-scoped authorization checks and access sessions, files, and resources across different profiles.",
  "id": "GHSA-cpcp-57xw-48rv",
  "modified": "2026-06-17T21:34:38Z",
  "published": "2026-06-17T21:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53871"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/pull/4023"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/pull/4036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/commit/9e96f5f6adf93b6d1e27ebddfb4d2833ca06ff3b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nesquena/hermes-webui/releases/tag/v0.51.368"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hermes-webui-profile-scoped-authorization-bypass-via-forged-hermes-profile-cookie"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CQ85-4F5H-QQC4

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2024-11-20 00:32
VLAI
Details

Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox < 123 and Firefox ESR < 115.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-20T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Set-Cookie response headers were being incorrectly honored in multipart HTTP responses. If an attacker could control the Content-Type response header, as well as control part of the response body, they could inject Set-Cookie response headers that would have been honored by the browser. This vulnerability affects Firefox \u003c 123 and Firefox ESR \u003c 115.8.",
  "id": "GHSA-cq85-4f5h-qqc4",
  "modified": "2024-11-20T00:32:08Z",
  "published": "2024-02-20T15:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1551"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1864385"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-05"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-06"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CWMX-HCRQ-MHC3

Vulnerability from github – Published: 2022-05-25 18:09 – Updated: 2022-06-20 22:02
VLAI
Summary
Cross-domain cookie leakage in Guzzle
Details

Impact

Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.

Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3.

Workarounds

If you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off.

References

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/guzzle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/guzzle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T18:09:55Z",
    "nvd_published_at": "2022-05-25T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nPrevious version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.\n\nNote that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `[\u0027cookies\u0027 =\u003e true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.3 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.6 or 7.4.3.\n\n### Workarounds\n\nIf you do not need support for cookies, turn off the cookie middleware. It is already off by default, but if you have turned it on and no longer need it, turn it off.\n\n### References\n\n* [RFC6265 Section 5.3](https://datatracker.ietf.org/doc/html/rfc6265#section-5.3)\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n",
  "id": "GHSA-cwmx-hcrq-mhc3",
  "modified": "2022-06-20T22:02:17Z",
  "published": "2022-05-25T18:09:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle/pull/3018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-29248.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/guzzle/guzzle"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5246"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2022-010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-domain cookie leakage in Guzzle"
}

GHSA-F3GR-956R-2X26

Vulnerability from github – Published: 2023-02-01 21:30 – Updated: 2023-02-10 18:30
VLAI
Details

All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device's web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3083"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565",
      "CWE-784"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of Landis+Gyr E850 (ZMQ200) are vulnerable to CWE-784: Reliance on Cookies Without Validation and Integrity. The device\u0027s web application navigation depends on the value of the session cookie. The web application could become inaccessible for the user if an attacker changes the cookie values.",
  "id": "GHSA-f3gr-956r-2x26",
  "modified": "2023-02-10T18:30:30Z",
  "published": "2023-02-01T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3083"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FPCR-G545-M542

Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-02-24 00:01
VLAI
Details

WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affected by a privilege escalation vulnerability. Improper handling of user cookies leads to escalating privileges to administrative account of the router.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-565"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-16T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "WAGO 750-8212 PFC200 G2 2ETH RS Firmware version 03.05.10(17) is affected by a privilege escalation vulnerability. Improper handling of user cookies leads to escalating privileges to administrative account of the router.",
  "id": "GHSA-fpcr-g545-m542",
  "modified": "2022-02-24T00:01:01Z",
  "published": "2022-02-17T00:00:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46388"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/drive/folders/1FDtxZayLeSITcqP72c7FsTOpAFGFePVE"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166159/WAGO-750-8212-PFC200-G2-2ETH-RS-Privilege-Escalation.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Architecture and Design

Avoid using cookie data for a security-related decision.

Mitigation
Implementation

Perform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.

Mitigation
Architecture and Design

Add integrity checks to detect tampering.

Mitigation
Architecture and Design

Protect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, server-side value that is not exposed to the client.

CAPEC-226: Session Credential Falsification through Manipulation

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.

CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

CAPEC-39: Manipulating Opaque Client-based Data Tokens

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.