Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The session cookie is configured without the ‘Secure’ flag, which means it can be sent over unencrypted HTTP connections. This exposes sensitive session data to interception by attackers on the network.
Impact#
If exploited, attackers could capture session cookies via unsecured connections, potentially hijacking user sessions and gaining unauthorized access to user accounts or sensitive information. This weakens overall application security and puts user data at risk.