Sensitive Cookie Without 'HttpOnly' Flag

Incomplete Variant

Structure: Simple

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Extended Description

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Common Consequences 2

Scope: Confidentiality

Impact: Read Application Data

If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

Scope: Integrity

Impact: Gain Privileges or Assume Identity

If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: Implementation

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Effectiveness: High

Demonstrative Examples 1

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

Code Example:Bad
Java
java

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

Code Example:Attack
JavaScript
javascript

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

Code Example:Good
Java
java

Observed Examples 3

CVE-2022-24045Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.

CVE-2014-3852CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2015-4138Appliance for managing encrypted communications does not use HttpOnly flag.

References 4

HttpOnly

OWASP

https://owasp.org/www-community/HttpOnly(2023-04-07)

ID: REF-2

Some Bad News and Some Good News

Michael Howard

2002

https://learn.microsoft.com/en-us/previous-versions/ms972826(v=msdn.10)?redirectedfrom=MSDN(2023-04-07)

ID: REF-3

C is for cookie, H is for hacker - understanding HTTP only and Secure cookies

Troy Hunt

26-03-2013

https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/

ID: REF-4

Mitigating Cross-site Scripting With HTTP-only Cookies

Microsoft

https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN(2023-04-07)

ID: REF-5

Likelihood of Exploit

Medium

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Technologies:

Web Based : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Permission Assignment for Critical Resource (CWE-732)