Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code creates cookies without setting the ‘secure’ flag, allowing them to be sent over unencrypted HTTP connections. This exposes sensitive cookie data to interception by attackers on the network.

Impact

If exploited, attackers could capture session cookies or other sensitive data via network sniffing, leading to session hijacking or unauthorized access to user accounts. This weakens the application’s overall security, especially when users connect over public or unsecured networks.

Property
Language	java
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

A cookie is being set without the ‘secure’ flag, which means it can be sent over unencrypted HTTP connections. This exposes sensitive session data to interception by attackers on the network.

Impact

If exploited, an attacker could steal session cookies by intercepting traffic over unsecured networks (like public Wi-Fi), potentially allowing unauthorized access to user accounts or sensitive data. This increases the risk of session hijacking and compromises user privacy.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Found a configuration file where the secure attribute is not set to ’true’. Setting ‘secure’ to ’true’ prevents the client from transmitting the cookie over unencrypted channels and therefore prevents cookies from being stolen through man in the middle attacks.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code sets cookies in a Flask response without explicitly setting the ‘secure’, ‘httponly’, and ‘samesite’ options. This leaves cookies vulnerable to theft or misuse because they can be accessed by client-side scripts or sent over insecure connections.

Impact

Attackers could intercept or steal these cookies via cross-site scripting (XSS) or network attacks, potentially hijacking user sessions or accessing sensitive information. This could lead to unauthorized access to user accounts and compromise the security of your application and its users.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Cookies are being set in Django without specifying secure attributes like ‘secure’, ‘httponly’, or ‘samesite’. This means cookies may be sent over insecure connections or accessed by client-side scripts, making them vulnerable to theft or misuse.

Impact

If exploited, attackers could intercept cookies over unsecured connections or access them via malicious scripts, potentially leading to session hijacking, user impersonation, or unauthorized access to sensitive data. This weakens the application’s overall security and puts user accounts at risk.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The code sets a cookie in a Pyramid web application without enabling the ‘secure’ flag. This means the cookie can be sent over unencrypted (HTTP) connections, exposing sensitive data to interception.

Impact

If exploited, attackers could steal session cookies over unsecured networks, leading to account hijacking or unauthorized access to user data. This weakens the overall security of your application and puts users at risk.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

Cookies are being set in Pyramid applications without the ‘secure’ flag enabled, which means they may be sent over unencrypted HTTP connections. This makes the cookies vulnerable to interception.

Impact

If an attacker intercepts network traffic, they could steal session or authentication cookies sent over insecure connections, potentially leading to account takeovers or unauthorized access to sensitive user data.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The Pyramid AuthTkt authentication cookie is being created without setting the ‘secure’ flag to True. This means the cookie can be sent over unencrypted HTTP connections, making it vulnerable to interception.

Impact

If exploited, an attacker on the same network could steal authentication cookies during transmission, potentially gaining unauthorized access to user accounts and sensitive data. This compromises session integrity and can lead to account takeover or data breaches.

Property
Language
Severity
CWE	CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The Pyramid authentication ticket cookie is being created without setting secure=True, which means the cookie can be transmitted over unencrypted HTTP connections. This exposes sensitive authentication data to interception by attackers on insecure networks.

Impact

If exploited, an attacker could steal authentication cookies via network sniffing on unsecured connections, potentially hijacking user sessions and gaining unauthorized access to user accounts or sensitive areas of the application.

Property
Language
Severity
CWE	CWE-1275: Sensitive Cookie with Improper SameSite Attribute
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The session cookie is set with SameSite=None, which allows it to be sent with cross-site requests. This setting can expose the application to cross-site request forgery (CSRF) attacks.

Impact

If exploited, attackers could trick users’ browsers into sending authenticated requests to your app from malicious sites, potentially leading to unauthorized actions or data exposure. This weakens session security and puts user accounts at risk.