Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
A cookie is being set without the ‘HttpOnly’ flag enabled, which means client-side scripts (like JavaScript) can access its value. This makes sensitive information stored in cookies more exposed to attacks such as cross-site scripting (XSS).
Impact#
If an attacker manages to inject malicious scripts into your site, they could steal cookies without the ‘HttpOnly’ flag, potentially hijacking user sessions or accessing sensitive data. This increases the risk of account compromise and data breaches.