Cookie Not Marked as HttpOnly

Severity: Low

Summary#

Invicti identified a cookie not marked as HTTPOnly.

HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.

Impact#

During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.

Actions To Take#

See the remedy for solution.
Consider marking all of the cookies used by the application as HTTPOnly. (After these changes javascript code will not be able to read cookies.)

Remediation#

Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

Classifications#

ISO27001-A.14.2.5, OWASP 2017-A6, OWASP 2013-A5, CWE-16, WASC-15, CAPEC-107

Invicti Security Insights

HTTP security headers: An easy way to harden your web applications
Why Websites Need HTTP Strict Transport Security (HSTS)
SameSite Cookies by Default in Chrome 76 and Above
Content-Type and Status Code Leakage
Cross Site Cookie Manipulation