C Sharp Http Only False Cookie
Description
Detects cookies configured without the HttpOnly flag in C# applications. When HttpOnly is set to false or missing, cookies become accessible to client-side scripts, potentially exposing sensitive data to cross-site scripting (XSS) attacks.
Detection Strategy
• Identifies cookie configurations in C# code where the HttpOnly property is being set
• Analyzes the property assignment to determine if HttpOnly is set to false
• Checks if the cookie is in a security-sensitive context (like authentication or session cookies)
• Reports a vulnerability when HttpOnly is explicitly disabled on security-sensitive cookies
Vulnerable code example
using System.Web;
public class InsecureCookieExample
{
public HttpCookie CreateVulnerableCookie()
{
HttpCookie cookie = new HttpCookie("sessionId");
cookie.HttpOnly = false; // Vulnerable: Allows client-side script access to cookie...✅ Secure code example
using System.Web;
public class SecureCookieExample
{
public HttpCookie CreateSecureCookie()
{
HttpCookie cookie = new HttpCookie("sessionId");
cookie.HttpOnly = true; // Secure: Prevents client-side script access to cookie...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.