Cookie Without HttpOnly Flag Detected

low Web App Scanning Plugin ID 98063

Language:

Synopsis

Cookie Without HttpOnly Flag Detected

Description

The HttpOnly flag assists in the prevention of client side-scripts (such as JavaScript) from accessing and using the cookie.

This can help prevent XSS attacks from targeting the cookies holding the client's session token (setting the HttpOnly flag does not prevent, nor safeguard against XSS vulnerabilities themselves).

Solution

The initial step to remedy this would be to determine whether any client-side scripts (such as JavaScript) need to access the cookie and if not, set the HttpOnly flag.
It should be noted that some older browsers are not compatible with the HttpOnly flag; therefore, setting this flag will not protect those clients against this form of attack.

See Also

https://www.owasp.org/index.php/HttpOnly

Plugin Details

Severity: Low

ID: 98063

Type: remote

Family: HTTP Security Header

Published: 3/31/2017

Updated: 12/11/2023

Scan Template: basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 1004

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A5

WASC: Application Misconfiguration

DISA STIG: APSC-DV-002210

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP ASVS: 4.0.2-3.4.2

PCI-DSS: 3.2-6.5.10