Http Cookie Missing Httponly
Description
Detects sensitive cookies (like session or authentication cookies) that are missing the HttpOnly flag in HTTP responses. When the HttpOnly flag is missing, malicious JavaScript could potentially access these cookies, making the application vulnerable to cross-site scripting (XSS) attacks that steal sensitive cookie data.
Detection Strategy
• Examines Set-Cookie headers in HTTP responses
• Identifies cookies with sensitive names (e.g., containing 'session', 'auth', 'token')
• Checks if each sensitive cookie has the HttpOnly flag set
• Reports a vulnerability if any sensitive cookie is found without the HttpOnly flag
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.