Java Http Only Not Set
Description
Detects Java web applications that create cookies without setting the HttpOnly flag. Cookies without HttpOnly can be accessed by malicious JavaScript code through XSS attacks, potentially leading to session hijacking.
Detection Strategy
• Monitor for cookie creation using the 'addCookie' method call in Java code
• Examine the cookie object being created to verify if HttpOnly property is configured
• Report a vulnerability if a cookie is added without the HttpOnly flag explicitly set to true
• Focus on Response/Cookie management API calls that handle cookie creation
Vulnerable code example
import javax.servlet.http.*;
public class VulnerableCookieServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
// Vulnerable: Cookie missing HttpOnly flag, making it accessible to client-side scripts
Cookie cookie = new Cookie("sessionId", "abc123");
cookie.setSecure(true);
cookie.setPath("/");...✅ Secure code example
import javax.servlet.http.*;
import java.security.SecureRandom;
import java.util.Base64;
public class SecureCookieServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
// Generate secure random session ID
SecureRandom random = new SecureRandom();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.