Sensitive Cookie Without ‘HttpOnly’ Flag
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Pyramid AuthTkt cookie is being set without the ‘httponly’ flag enabled. This makes the authentication cookie accessible to client-side scripts, increasing the risk of it being stolen through cross-site scripting (XSS) attacks.
Impact#
If exploited, an attacker could steal a user’s authentication cookie via malicious scripts, potentially allowing them to hijack user sessions and gain unauthorized access to sensitive parts of your application. This compromises user data and could lead to further attacks within your system.