CGI Generic Cookie Injection Scripting

medium Nessus Plugin ID 44136


The remote web server is prone to cookie injection attacks.


The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript.

By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.

Please note that :

- Nessus did not check if the session fixation attack is feasible.

- This is not the only vector of session fixation.


Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

See Also

Plugin Details

Severity: Medium

ID: 44136

File Name: torture_cgi_cookie_manip.nasl

Version: 1.20

Type: remote

Family: CGI abuses

Published: 1/25/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Risk Information


Risk Factor: Medium

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

Required KB Items: Settings/enable_web_app_tests

Reference Information

CWE: 472, 642, 715, 722