Javascript Insecurely Generated Cookies

Description

Detects when cookies are created without proper security attributes in JavaScript code. Cookies created without security flags like 'secure' or 'httpOnly' can be exposed to attacks like XSS or man-in-the-middle, potentially compromising sensitive data stored in cookies.

Weakness:

042 - Insecurely generated cookies

Category: Access Subversion

Detection Strategy

• Identifies direct cookie assignments using document.cookie

• Checks if cookie creation is missing security flags (secure, httpOnly)

• Looks for cookie operations that don't specify the SameSite attribute

• Reports a vulnerability when cookies are set without required security attributes

Vulnerable code example

const express = require('express');
const app = express();

app.get('/vulnerable', (req, res) => {
    // Vulnerable: Cookie can be transmitted over insecure HTTP due to secure:false
    res.cookie('userToken', 'secret123', { secure: false, httpOnly: true });
    res.send('Cookie set');
});

✅ Secure code example

const express = require('express');
const app = express();

app.get('/vulnerable', (req, res) => {
    // Secure: Cookie configured with all recommended security flags
    res.cookie('userToken', 'secret123', {
        secure: true,     // Ensures cookie is only sent over HTTPS
        httpOnly: true,   // Prevents JavaScript access to cookie...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.