Fluid Attacks Database

Description

Detects when cookies are created without the HttpOnly flag in Kotlin applications. Cookies without HttpOnly are vulnerable to cross-site scripting (XSS) attacks since malicious JavaScript can access these cookies, potentially leading to session hijacking.

Weakness:

128 - Insecurely generated cookies - HttpOnly

Category: Access Subversion

Detection Strategy

• Identifies calls to addCookie() method in the code

• Examines the cookie configuration parameters in the addCookie call

• Reports a vulnerability when a cookie is created without explicitly setting the HttpOnly flag

• Focuses on Response.addCookie() and similar cookie management methods

Vulnerable code example

public fun setCookie(value: String, response: HttpServletResponse) {
    // Vulnerable: Cookie created without HttpOnly flag, exposing it to XSS attacks
    val cookie = Cookie("sessionId", value)
    response.addCookie(cookie)
}

✅ Secure code example

public fun setCookie(value: String, response: HttpServletResponse) {
    val cookie = Cookie("sessionId", value)
    cookie.isHttpOnly = true  // Prevents JavaScript access to cookie, mitigating XSS
    cookie.secure = true      // Ensures cookie is only sent over HTTPS
    cookie.setAttribute("SameSite", "Strict")  // Protects against CSRF attacks
    response.addCookie(cookie)
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.