CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

Description: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Common Consequences: Scope: Confidentiality
Impact: Read Application Data
Notes: If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Scope: Integrity
Impact: Gain Privileges or Assume Identity
Notes: If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Related Weaknesses: CWE-732Incorrect Permission Assignment for Critical ResourceHigh

Free security scan for your website

Don't show website scan report rating on the leaderboard

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.