Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The code creates or sets cookies without enabling the ‘HttpOnly’ flag, which allows client-side scripts (like JavaScript) to access these cookies. This makes sensitive information stored in cookies more accessible to attackers using cross-site scripting (XSS) attacks.
Impact#
If exploited, attackers could steal authentication tokens or session identifiers from cookies using malicious scripts, potentially allowing them to hijack user accounts or impersonate users. This weakens overall application security and exposes users to account compromise.