Sensitive Cookie Without 'HttpOnly' Flag
ID |
scala.cookie.scala_cookie_rule_cookiehttponly |
Severity |
low |
Resource |
Cookie |
Language |
Scala |
Description
A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example.
Rationale
A new cookie is created without the HttpOnly flag set. The HttpOnly flag is a directive to the browser to make sure that the cookie can not be red by malicious script. When a user is the target of a "Cross-Site Scripting", the attacker would benefit greatly from getting the session id for example.
The following code illustrates a vulnerable pattern detected by this rule:
def danger(res: HttpServletResponse): Unit = {
// VULNERABLE: Sensitive Cookie Without 'HttpOnly' Flag
val cookie = new Cookie("key", "value")
cookie.setSecure(true)
cookie.setMaxAge(60)
cookie.setHttpOnly(false) // danger
res.addCookie(cookie)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.