Cookie Not Marked as HttpOnly
Invicti identified a cookie not marked as HTTPOnly.
HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
Actions To Take#
- See the remedy for solution.
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.