Missing HttpOnly Cookie Attribute Network Vulnerability

Summary

The application is missing the 'httpOnly' cookie attribute

Impact

Application

Solution

Set the 'httpOnly' attribute for any session cookies.

Insight

The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Affected

Application with session handling in cookies.

Detection

Check all cookies sent by the application for a missing 'httpOnly' attribute

References

https://www.owasp.org/index.php/HttpOnly
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities
Admidio get_file.php Remote File Disclosure Vulnerability
Apache Rave User Information Disclosure Vulnerability
Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
Apache Open For Business HTML injection vulnerability

Missing httpOnly Cookie Attribute

Take action and discover your vulnerabilities