CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
Weakness ID: 1004
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
Time of Introduction
Architecture and Design
Technical Impact: Read application
If the HttpOnly flag is not set, then sensitive information stored in
the cookie may be exposed to unintended parties.
Technical Impact: Gain privileges / assume
If the cookie in question is an authentication cookie, then not
setting the HttpOnly flag may allow an adversary to steal authentication
data (e.g., a session ID) and assume the identity of the user.
Likelihood of Exploit
In this example, a cookie is used to store a session ID for a
client's interaction with a website. The intention is that the cookie will
be sent to the website with each request made by the client.
The snippet of code below establishes a new cookie to hold the
String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);
The HttpOnly flag is not set for the cookie. An attacker who can
perform XSS could insert malicious script such as:
Appliance for managing encrypted communications
does not use HttpOnly flag.
Leverage the HttpOnly flag when setting a sensitive cookie in a
While this mitigation is effective for protecting cookies from a
browser's own scripting engine, third-party components or plugins may
have their own engines that allow access to cookies.
Attackers might also be able to use XMLHTTPResponse to read the
headers directly and obtain the cookie.
An HTTP cookie is a small piece of data attributed to a specific website
and stored on the user's computer by the user's web browser. This data can
be leveraged for a variety of purposes including saving information entered
into form fields, recording user activity, and for authentication purposes.
Cookies used to save or record information generated by the user are
accessed and modified by script code embedded in a web page. While cookies
used for authentication are created by the website's server and sent to the
user to be attached to future requests. These authentication cookies are
often not meant to be accessed by the web page sent to the user, and are
instead just supposed to be attached to future requests to verify