Sensitive Cookie Without 'HttpOnly' Flag
Description
A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie cannot be read by malicious scripts. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example.
Examples
Insecure Code
scala
val C = new javax.servlet.http.Cookie("session", "123");
response.addCookie(C);Secure Code
scala
val C = new javax.servlet.http.Cookie("session", "123");
C.setHttpOnly(true);
response.addCookie(C);Remediation
Set the HttpOnly flag to true when creating a new cookie, e.g., $C.setHttpOnly(true);
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0007 |
| Category | Web |
| Severity | LOW |
| CWE | CWE-1004 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | cookie, httpOnly |
| OWASP | N/A |