For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain context

The main purpose of a cookie is to identify users and possibly prepare customized Web pages for consumers based on their profile.

However, there are at least three problems in this case.

  1. The first one is the fact that sensitive information is being added as plain text, which is not recommended. A malicious user can sniff the connection to capture any data that is being transmitted over a network. Therefore, some sort of encryption should be used.
  2. The second problem is the fact that the developer did not set the HttpOnly attribute. If the browser supports it (in fact, most of modern browsers do), it will not allow the user to change the value of this cookie. In the current example, it is added the type of the user into the cookie. However, if the user changes this value from User to Admin, then the application will accept the next requests of this user as admin requests.
  3. A third and possible problem is the fact that the developer did not set the Secure attribute. Developers usually store all sorts of information in cookies. Because cookies are easy to be manipulated, they can exchange information from the server to the browser and vice-versa. The difficulty of finding a vulnerability in this process lies on the fact that the use of cookies is usually intertwined among several other program statements. These other statements are more important to the functionality being implemented, which ends up hiding the importance of cookies (and their harmfulness). Thus, developers or reviewers may not feel the need to not pay attention on them.

Execute the following commands in Ocular shell

{
val source = cpg.method.fullName(".*Cookie.<init>.*").parameter
val sink = cpg.method.name("addCookie").parameter
sink.reachableBy(source).flows.passesNot("setHttpOnly").passesNot("setSecure").p
}

{
val source = cpg.method.name("addCookie").parameter
val sink = cpg.method.fullName(".*javax.servlet.RequestDispatcher.forward.*").parameter
sink.reachableBy(source).flows.passesNot("setHttpOnly").passesNot("setSecure").p
}