Scala Cookie Missing Httponly
Description
Detects when cookies are created without the HttpOnly flag in Scala web applications. The HttpOnly flag prevents client-side scripts from accessing sensitive cookie data. Missing this flag can allow attackers to steal session cookies through cross-site scripting (XSS) attacks.
Detection Strategy
• Checks if the javax.servlet.http library is imported in the source code
• Identifies calls to the addCookie() method for cookie creation
• Examines cookie object configuration to verify if the HttpOnly flag is explicitly set
• Reports a vulnerability when cookies are created without enabling the HttpOnly security flag
Vulnerable code example
import javax.servlet.http.{HttpServlet, HttpServletRequest, HttpServletResponse, Cookie}
class VulnerableCookieServlet extends HttpServlet {
override def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
// Vulnerable: Cookie created without HttpOnly flag, allowing JavaScript access
val sessionCookie = new Cookie("SESSIONID", "abc123")
resp.addCookie(sessionCookie)
...✅ Secure code example
import javax.servlet.http.{HttpServlet, HttpServletRequest, HttpServletResponse, Cookie}
class SecureCookieServlet extends HttpServlet {
override def doGet(req: HttpServletRequest, resp: HttpServletResponse): Unit = {
// Set HttpOnly and Secure flags for sensitive session cookie
val sessionCookie = new Cookie("SESSIONID", "abc123")
sessionCookie.setHttpOnly(true) // Prevent JavaScript access to cookie
sessionCookie.setSecure(true) // Only send over HTTPS...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.