Not Http-Only Cookie
- CWE 1004
HttpOnly is an optional flag included in a Set-Cookie HTTP response header. HTTP-only cookies aren't accessible via JavaScript through the document.cookie property, the XMLHttpRequest API, or the Request API to mitigate attacks against Cross-site Scripting (XSS). As a result, even if a Cross-site Scripting (XSS) flaw exists, and a user accidentally accesses a link that exploits this flaw, the browser will not reveal the cookie to a third party.
Remediation
Consider marking cookies used by the application as HTTPOnly. Javascript code will not be able to read cookies this way.
References
Go Back to List
Search Vulnerability
You may also see
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled