Cookie Without Secure Flag Detected

low Web App Scanning Plugin ID 98064

Language:

Synopsis

Cookie Without Secure Flag Detected

Description

When the `secure` flag is set on a cookie, the browser will prevent it from being sent over a clear text channel (HTTP) and only allow it to be sent when an encrypted channel is used (HTTPS).

The scanner discovered that a cookie was set by the server without the secure flag being set. Although the initial setting of this cookie was via an HTTPS connection, any HTTP link to the same server will result in the cookie being sent in clear text.

Note that if the cookie does not contain sensitive information, the risk of this vulnerability is mitigated.

Solution

If the cookie contains sensitive information, then the server should ensure that the cookie has the `secure` flag set.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#secure-attribute

Plugin Details

Severity: Low

ID: 98064

Type: remote

Family: HTTP Security Header

Published: 3/31/2017

Updated: 12/11/2023

Scan Template: basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 614

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A5

WASC: Insufficient Transport Layer Protection

CAPEC: 102

DISA STIG: APSC-DV-002220

HIPAA: 164.312(a), 164.312(e)

ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5

NIST: sp800_53-SC-13

OWASP ASVS: 4.0.2-3.4.1

PCI-DSS: 3.2-6.5.10