Creative Commons attribution licensed image courtesy scuba67
A recent web application vulnerability scan came back with an interesting result - automated cross site scripting tests were showing positive results in cookies.
"Wait! That can't be!" you say, knowing that cookies typically don't contain user visible content that their browser would interpret.
That was my reaction as well, so I went digging. Our environment uses ColdFusion for some application development, so most cookie handling is done via ColdFusion's built in cookie management tools. How was a cookie's content being rolled into the page?
Further digging showed that the error only showed on error pages, and consultation with the developer said that those pages were automatically generated by ColdFusion, and were not custom to his application. This is where having sharp developers comes in handy - the developer paused, looked more closely at the page and noted that he had requested a scan in our development environment - and that the ColdFusion error messages were disabled in our pre-prod and production environments.
Users would never see the XSS in any public facing environment - and, better, would only see the XSS in an error page, not in any valid user page. A false positive due to compensating controls and a very low risk profile even without them.
So, yes, you can have XSS in cookies, but it isn't as tasty as it might sound.
And the sharp developer? He and a co-worker went back through their ColdFusion framework and wrote back to me that the discovery had inspired them to armor their standard framework against similar issues in the future - they proactively updated it and will add that update to all of their standard framework applications.