Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The session cookie is being set without the ‘HttpOnly’ flag enabled. This means client-side scripts can access the cookie, increasing the risk of sensitive information leakage.
Impact#
If exploited, an attacker could use cross-site scripting (XSS) to steal session cookies from users, potentially hijacking accounts or gaining unauthorized access to sensitive areas of the application.