Sensitive cookie without 'HttpOnly' flag
Description
The `HttpOnly` attribute when set to `true` protects the cookie value from being accessed by client side JavaScript. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.
Examples
Insecure Code
c#
var cookie = new HttpCookie("SomeCookieName", "SomeValue");Secure Code
c#
var someCookie = new HttpCookie("SomeCookieName", "SomeValue");
someCookie.HttpOnly = true;Remediation
Set the `HttpOnly` attribute to `true` for sensitive cookies, e.g., `someCookie.HttpOnly = true;`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0439 |
| Category | Web |
| Severity | LOW |
| CWE | CWE-1004 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XSS, Cookie Security |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |