The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
|Confidentiality||Read Application Data||If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.|
|Integrity||Gain Privileges or Assume Identity||If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.|
Leverage the HttpOnly flag when setting a sensitive cookie in a response.
In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
The snippet of code below establishes a new cookie to hold the sessionID.
The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:
When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.
To mitigate the risk, use the setHttpOnly(true) method.
|CVE-2014-3852||CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.||http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852|
|CVE-2015-4138||Appliance for managing encrypted communications does not use HttpOnly flag.||https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138|