Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Authentication cookies in your Pyramid application are being set without the ‘httponly=True’ flag. This means client-side scripts can access these sensitive cookies, increasing the risk of them being stolen.
Impact#
If exploited, attackers could use malicious scripts (like XSS) to steal authentication cookies, potentially allowing unauthorized access to user accounts and compromising sensitive data. This can lead to account takeover and broader security breaches within your application.