Summary
The application is missing the 'httpOnly' cookie attribute
Impact
Application
Solution
Set the 'httpOnly' attribute for any session cookies.
Insight
The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
Affected
Application with session handling in cookies.
Detection
Check all cookies sent by the application for a missing 'httpOnly' attribute
References