Insecurely generated cookies - HttpOnly | Fluid Attacks Database

Database

Description

The applications cookies are generated without properly setting the HttpOnly attribute.

Impact

Obtain sensitive information by performing a XSS attack.

Recommendation

The application must set the HttpOnly attribute in the cookies with sensitive information.

Threat

Authorized attacker from internet network performing a XSS attack.

Expected Remediation Time

⏱️ 30 minutes.

Requirements

029 - Cookies with security attributes

Rules

Http Cookie Missing Httponly Scala Cookie Missing Httponly Ruby Sensitive Cookie Without Httponly Typescript Session Cookie Http Only False Php Set Cookie Without Httponly Go Http Only Disabled Php Session Cookie Missing Httponly Kotlin Cookie Missing Httponly Javascript Httponly Flag Not Set C Sharp Http Only False Cookie Python Cookie Httponly False Javascript Session Cookie Http Only False Typescript Httponly Flag Not Set Java Http Only Not Set

Fixes

Csharp Dart Go Java JavaScript/TypeScript Php Python Ruby Scala