Detections
Analytics

Web Application Session Cookies Not Marked HttpOnly

medium Nessus Plugin ID 48432

Language:

Synopsis

HTTP session cookies might be vulnerable to cross-site scripting attacks.

Description

The remote web application uses cookies to track authenticated users. However, one or more of those cookies are not marked 'HttpOnly', meaning that a malicious client-side script such as JavaScript could read them.

'HttpOnly' is a security mechanism to protect against cross-site scripting attacks that was proposed by Microsoft and initially implemented in Internet Explorer. All modern browsers support it.

Note that :

 - 'HttpOnly' can be circumvented in some cases.

 - The absence of this attribute does not mean that the web application is automatically vulnerable to cross-site scripting attacks.

 - Some web applications need to manipulate the session cookie through client-side scripts and the 'HttpOnly' attribute cannot be set.

Solution

If possible, add the 'HttpOnly' attribute to all session cookies.

See Also

http://www.nessus.org/u?1c015bda

http://www.nessus.org/u?6752aae7

Plugin Details

Severity: Medium

ID: 48432

File Name: http_xss_session_cookie.nasl

Version: 1.9

Type: remote

Family: Web Servers

Published: 8/25/2010

Updated: 11/15/2018

Supported Sensors: Nessus

Reference Information

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990