Ruby Sensitive Cookie Without Httponly
Description
Detects when sensitive cookies in Ruby applications are set without the HttpOnly flag. This security issue allows client-side scripts to access sensitive cookie data, potentially exposing the application to cross-site scripting (XSS) attacks and cookie theft.
Detection Strategy
• Look for cookie assignments through direct assignment operations or method invocations like cookies[], cookies.permanent[]
• Check if the cookie name contains sensitive terms (e.g. session, token, auth)
• Verify if the cookie configuration options lack 'httponly: true' in the arguments
• Flag cases where sensitive cookies are created without explicitly enabling the HttpOnly flag
Vulnerable code example
class UsersController < ApplicationController
def login
# VULNERABLE: Cookie set without HttpOnly flag, exposing it to XSS attacks
cookies[:auth_token] = { value: "abc123" }
# VULNERABLE: Explicitly disabled HttpOnly flag
response.set_cookie(:user_token, value: "token123", httponly: false)
end...✅ Secure code example
class UsersController < ApplicationController
def login
# SAFE: Cookie set with HttpOnly flag to prevent XSS access
cookies[:auth_token] = { value: "abc123", httponly: true }
# SAFE: Set cookie with HttpOnly and other security flags
response.set_cookie(:user_token, {
value: "token123", ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.