Java Missing Secure Cookie Flag Servlet
Description
Identifies when cookies are created without the secure flag in Java Servlet applications. Cookies without the secure flag can be transmitted over unencrypted HTTP connections, potentially exposing sensitive information to attackers who can intercept network traffic.
Detection Strategy
• Identifies calls to addCookie() method in Java Servlet code
• Examines cookie configuration to check if the secure flag is set
• Reports a vulnerability when a cookie is added without explicitly setting the secure flag to true
• Focuses on response.addCookie() and similar cookie creation methods
Vulnerable code example
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
public void setCookie(HttpServletResponse response) {
Cookie cookie = new Cookie("sessionId", "abc123");
cookie.setPath("/");
cookie.setHttpOnly(true);
// Vulnerable: Cookie is not marked as secure, allowing transmission over HTTP...✅ Secure code example
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
public void setCookie(HttpServletResponse response) {
Cookie cookie = new Cookie("sessionId", "abc123");
cookie.setPath("/");
cookie.setHttpOnly(true);
cookie.setSecure(true); // Required: Ensures cookie is only sent over HTTPS...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.