HP Fortify Cookie Error of Header Manipulation

Question

I am using Fortify to scan my code. It is identifying the error "Header Manipulation: Cookies". Further it says "includes unvalidated data in an HTTP cookie". My code is below.

String cookieName = "Foo";
System.Text.RegularExpressions.Regex rgx = new System.Text.RegularExpressions.Regex("[^a-zA-Z0-9 -]");
String FullCookieName = ".OmniPro" + cookieName;
FullCookieName = rgx.Replace(FullCookieName, "");
HttpCookie oldCookie = Request.Cookies[FullCookieName] ;
if ( oldCookie != null )
{
    oldCookie.Expires = DateTime.Now.AddDays( -1 );
    Response.Cookies.Add( oldCookie );
}

The error is identified on "Cookies.Add". My intention is to just expire the old cookie. I have found no way to make Fortify happy. Any help would be appreciated.

Answer 1

The problem is taking the old cookie and then sending it back out. Cookies are not considered a trusted input for Fortify because they can be edited by the user. You would want to validate what is inside the cookie before adding it to the response. Even when you do this, Fortify will still likely report the issue. When doing input validation Fortify doesn't trust your validation inherently. You have to create a custom rule to do that. Once you think the input is sufficiently sanitized you could also just suppress the issue.

Fortify has a user community at https://protect724.hp.com that is also monitored by support. You may get quicker answers there.

Answer 2

I changed the code to be like below and Fortify accepted it.

String cookieName = "Foo"
System.Text.RegularExpressions.Regex rgx = new System.Text.RegularExpressions.Regex("[^a-zA-Z0-9 -]");
String FullCookieName = ".OmniPro" + cookieName;
HttpCookie oldCookie = Request.Cookies[FullCookieName];
if (oldCookie != null)
{
    String DeleteCookieName = rgx.Replace(FullCookieName, "");
    HttpCookie expiredCookie = new HttpCookie(DeleteCookieName) { Expires = DateTime.Now.AddDays(-1) };
    HttpContext.Current.Response.Cookies.Add(expiredCookie); // overwrite it
}

Thanks

Answer 3

It seems to me that the extension .OmniPro has a very specific use case, which I don't question. However, the regular expression doesn't seem to be essential.

Much simpler code passes the HP's Fortify scan for header manipulation prevention:

HttpCookie expiredCookie = new HttpCookie(DeleteCookieName)
  { Expires = DateTime.Now.AddDays(-1) };
HttpContext.Current.Response.Cookies.Add(expiredCookie); // Overwrite cookie.

Moreover, for these kind of cookies which expire immediately (see DateTime.Now.AddDays(-1) ) I'm a bit sceptical if it's not a false positive , because this cookie can be never fetched - it simply expires before it has been created.