Cookie Not Marked as HttpOnly

Summary #

Invicti identified a cookie not marked as HTTPOnly.

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

Impact #

During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.

Actions To Take #

See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)

Remediation #

Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

Classifications #

CAPEC-107; CWE-16; ISO27001-A.14.2.5; WASC-15; OWASP 2013-A5; OWASP 2017-A6

Netsparker Security Insights #

Understanding Cookie Poisoning Attacks
How the POODLE Attack Spelled the End of SSL 3.0
5 Easy Wins for Web Application Security
HTTP Security Headers: An Easy Way to Harden Your Web Applications
Why Websites Need HTTP Strict Transport Security (HSTS)