Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The session cookie is being set without the ‘HttpOnly’ flag, which means client-side scripts can access its value. This omission makes the session cookie vulnerable to theft via cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could steal session cookies using malicious scripts, potentially hijacking user sessions and gaining unauthorized access to sensitive user accounts or data. This compromises user security and may lead to data breaches.