Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
| Property | |
|---|---|
| Language | generic |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The application’s configuration disables the Secure flag on cookies, allowing them to be sent over unencrypted HTTP connections. This exposes sensitive authentication or session information to interception by attackers on the network.
Impact#
If exploited, attackers could steal users’ session cookies via network sniffing, potentially hijacking accounts or gaining unauthorized access to sensitive data. This weakens the overall security of user sessions and increases the risk of data breaches.