CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

  • Abstraction:Variant
  • Structure:Simple
  • Status:Incomplete
  • Release Date:2017-01-19
  • Latest Modification Date:2026-04-30

Weakness Name

Sensitive Cookie Without 'HttpOnly' Flag

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Common Consequences

Scope: Confidentiality

Impact: Read Application Data

Notes: If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

Scope: Integrity

Impact: Gain Privileges or Assume Identity

Notes: If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Related Weaknesses

CWE-732Incorrect Permission Assignment for Critical ResourceHigh

Related Alerts

Cookie No HttpOnly FlagLow