Javascript Httponly Flag Not Set

Description

Detects when cookies are configured without the HttpOnly flag set, which could allow malicious JavaScript to access sensitive cookie data. This vulnerability increases the risk of session hijacking through Cross-Site Scripting (XSS) attacks since client-side scripts can read cookie values.

Weakness:

128 - Insecurely generated cookies - HttpOnly

Category: Access Subversion

Detection Strategy

• Identifies cookie-related method calls in JavaScript code that set or configure cookies

• Examines the cookie configuration parameters to check if HttpOnly flag is missing

• Reports a vulnerability when a cookie is configured without explicitly setting the HttpOnly flag to true

• Focuses on cookie setting operations that end with specific method patterns defined in METHOD_SINKS

• Validates both the cookie name and configuration arguments to ensure accurate detection

Vulnerable code example

import express from 'express';
const app = express();

app.get('/login', (req, res) => {
  // Vulnerable: Setting cookie without HttpOnly flag exposes it to XSS attacks
  res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=Lax');
  res.send('Cookie set');
});

✅ Secure code example

import express from 'express';
const app = express();

app.get('/login', (req, res) => {
  // Secure: HttpOnly flag prevents JavaScript access to cookie
  res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; HttpOnly; SameSite=Lax');
  res.send('Cookie set');
});

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.