These docs are for v1.1. Click to read the latest docs for v1.2.

Sensitive Cookie Without HttpOnly Flag

Severity: Low
Test name: Cookie Security Check
Summary

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser (keeping a user logged-in, for example).

One of the ways to protect sensitive cookies is to ensure that they are not accessed by unintended parties or scripts: use the HttpOnly attribute. A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API. The cookie is sent only to the server. For example, cookies that persist server-side sessions do not need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate Cross-Site Scripting (XSS) attacks, where an attacker may read the contents of a cookie and use the obtained information.

Impact

The vulnerability allows an attacker to read the application data, gain privileges or assume identity.

Location

The issue can be found in the source code on the server side.

Remedy suggestions

It is necessary to configure (enable) the Secure attribute for sensitive cookies.

  • .NET
    * "Web.config" :
    ```
    <system.web>
    ...

    </system.web>

    * C# :
```js
Response.Cookies.Add(
        new HttpCookie("key", "value")
        {
            .....
            Secure = true
        });
  • PHP

    • "php.ini" :
    session.cookie_httponly = True
    
    • During a script (parameter $httponly should be set to true):
    void session_set_cookie_params ( int $lifetime  [, string $path  [, string $domain [, bool $secure= false  [, bool $httponly= false  ]]]] )
    
    • Application cookies (parameter $httponly should be set to true):
    bool setcookie ( string $name  [, string $value  [, int $expire= 0  [, string $path  [, string $domain  [, bool $secure= false  [, bool $httponly= false  ]]]]]] )
    
Classifications
  • CWE-1004
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
References