CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

AI Translation Available

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Status

incomplete

Abstraction

variant

Likelihood

medium

Affected Platforms

Web Based

Extended Description

AI Translation

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Technical Details

AI Translation

Common Consequences

confidentiality integrity

Impacts

read application data gain privileges or assume identity

Detection Methods

automated static analysis

Potential Mitigations

Phases:

implementation

Descriptions:

• Leverage the HttpOnly flag when setting a sensitive cookie in a response.

AI Generated Translation

Common Consequences

riservatezza integrità

Impacts

leggere dati applicazione ottenere privilegi o assumere identità

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

implementazione

Descriptions:

• Sfrutta il flag HttpOnly quando imposti un cookie sensibile in una risposta.

CWE-1004

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter