Password value set in cookie

Description: Password value set in cookie

Some applications issue a cookie containing the clear-text value of the password supplied by the user. This behavior increases the risk that users' passwords will be captured by an attacker. Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the application.

Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.

Remediation: Password value set in cookie

Applications should not store user credentials within any client-side mechanism such as cookies.

Vulnerability classifications

Typical severity

Medium

Type index (hex)

0x00500900

Type index (decimal)

5245184

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Get Burp

Scan your web application from just $449.00

Find out more

How do I?	New Post	View All
Feature Requests	New Post	View All
Burp Extensions	New Post	View All
Bug Reports	New Post	View All