Typescript Httponly Flag Not Set
Description
Detects when cookies are set without the HttpOnly flag in TypeScript code. Cookies without HttpOnly are accessible to client-side scripts, potentially exposing sensitive information to cross-site scripting (XSS) attacks if the cookie contains sensitive data like session tokens.
Detection Strategy
• Identifies cookie-setting operations in TypeScript code (e.g., res.cookie(), setCookie calls)
• Examines the cookie configuration options to check if HttpOnly flag is missing
• Reports a vulnerability when a cookie is set without explicitly enabling the HttpOnly flag
• Focuses on server-side TypeScript code where cookies are configured or modified
Vulnerable code example
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
// Vulnerable: Cookie set without HttpOnly flag allows client-side access
res.setHeader('Set-Cookie', 'token=abc123; Path=/; Secure; SameSite=Lax');
res.send('Cookie set');...✅ Secure code example
import express from 'express';
const app = express();
app.get('/login', (req, res) => {
// Secure: Added HttpOnly flag to prevent client-side cookie access
res.setHeader('Set-Cookie', 'token=abc123; Path=/; HttpOnly; Secure; SameSite=Lax');
res.send('Cookie set');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.