Sensitive Cookie Without 'HttpOnly' Flag

Incomplete Variant

Structure: Simple

Description

This vulnerability occurs when an application stores sensitive data in a cookie but fails to set the 'HttpOnly' flag, leaving the cookie accessible to client-side scripts.

Extended Description

The 'HttpOnly' flag is a critical security directive sent within the `Set-Cookie` HTTP header. When present, it instructs compatible web browsers to block all client-side scripts (like JavaScript) from reading the cookie's contents. This creates a vital defensive layer, specifically designed to contain the damage from a Cross-Site Scripting (XSS) attack by preventing malicious scripts from stealing cookie data. Without this flag, any sensitive information stored in the cookie—such as session tokens or authentication details—becomes exposed. If an XSS flaw exists elsewhere in the application, an attacker can execute script to read the cookie and exfiltrate its data, potentially leading to session hijacking or account compromise. Setting the 'HttpOnly' flag is a fundamental and widely supported practice to protect user sessions even when other vulnerabilities are present.

Common Consequences 2

Scope: Confidentiality

Impact: Read Application Data

If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

Scope: Integrity

Impact: Gain Privileges or Assume Identity

If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Implementation

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Effectiveness: High

Demonstrative Examples 1

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

Code Example:Bad
Java
java

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

Code Example:Attack
JavaScript
javascript

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

Code Example:Good
Java
java

Observed Examples 3

CVE-2022-24045Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.

CVE-2014-3852CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2015-4138Appliance for managing encrypted communications does not use HttpOnly flag.

References 4

HttpOnly

OWASP

https://owasp.org/www-community/HttpOnly(2023-04-07)

ID: REF-2

Some Bad News and Some Good News

Michael Howard

2002

https://learn.microsoft.com/en-us/previous-versions/ms972826(v=msdn.10)?redirectedfrom=MSDN(2023-04-07)

ID: REF-3

C is for cookie, H is for hacker - understanding HTTP only and Secure cookies

Troy Hunt

26-03-2013

https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/

ID: REF-4

Mitigating Cross-site Scripting With HTTP-only Cookies

Microsoft

https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN(2023-04-07)

ID: REF-5

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Web Based : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Permission Assignment for Critical Resource (CWE-732)