The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
Threat Mapped score: 3.0
Industry: Finiancial
Threat priority: P2 - Serious (High)
CVE: CVE-2022-24045
Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.
CVE: CVE-2014-3852
CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE: CVE-2015-4138
Appliance for managing encrypted communications does not use HttpOnly flag.
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | N/A |
Intro: In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
Body: The snippet of code below establishes a new cookie to hold the sessionID.
String sessionID = generateSessionId(); Cookie c = new Cookie("session_id", sessionID); response.addCookie(c);