Sensitive Cookie Without HttpOnly Flag
Test name: Cookie Security Check
Test ID: cookie_security
| Summary |
|---|
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser (keeping a user logged-in, for example).
One of the ways to protect sensitive cookies is to ensure that they are not accessed by unintended parties or scripts: use the HttpOnly attribute. A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API. The cookie is sent only to the server. For example, cookies that persist server-side sessions do not need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate Cross-Site Scripting (XSS) attacks, where an attacker may read the contents of a cookie and use the obtained information.
| Impact |
|---|
The vulnerability allows an attacker to read the application data, gain privileges or assume identity.
| Location |
|---|
The issue can be found in the source code on the server side.
| Remedy suggestions |
|---|
It is necessary to configure (enable) the Secure attribute for sensitive cookies.
- .NET
* "Web.config" :
```
<system.web>
...
</system.web>
* C# :
```js
Response.Cookies.Add(
new HttpCookie("key", "value")
{
.....
Secure = true
});
-
PHP
- "php.ini" :
session.cookie_httponly = True- During a script (parameter
$httponlyshould be set totrue):
void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]] )- Application cookies (parameter
$httponlyshould be set totrue):
bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )
| Classifications |
|---|
- CWE-1004
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
| References |
|---|
Updated 4 months ago