Corgea LogoCorgea Security Hub

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

Learn about CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag), its security impact, exploitation methods, and prevention guidelines.

• Overview: Sensitive Cookie Without 'HttpOnly' Flag is a vulnerability where cookies storing sensitive information are not protected against client-side script access due to the absence of the HttpOnly flag, increasing the risk of unauthorized access through XSS attacks.

• Exploitation Methods:

  • Attackers exploit this vulnerability by executing cross-site scripting (XSS) attacks to access cookies using client-side scripts.
  • Common attack patterns include injecting malicious scripts into web pages that read and exfiltrate cookie data, potentially leading to session hijacking.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive information like session tokens, user credentials, or other security-sensitive cookies.
  • Potential cascading effects involve full account takeover, data breaches, and further exploitation of user accounts.
  • Business impact includes loss of customer trust, potential legal consequences, and financial losses due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes involve setting the HttpOnly flag for cookies containing sensitive information by including HttpOnly in the Set-Cookie HTTP response header.
  • Security best practices include regularly auditing and reviewing application code for XSS vulnerabilities and applying security patches promptly.
  • Recommended tools and frameworks include using security-focused libraries and frameworks that support automatic cookie flagging and leveraging Content Security Policy (CSP) to mitigate XSS risks.
Corgea can automatically detect and fix Sensitive Cookie Without 'HttpOnly' Flag in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Web Based

An HTTP cookie is a small piece of data attributed to a specific website and stored on the user's computer by the user's web browser. This data can be leveraged for a variety of purposes including saving information entered into form fields, recording user activity, and for authentication purposes. Cookies used to save or record information generated by the user are accessed and modified by script code embedded in a web page. While cookies used for authentication are created by the website's server and sent to the user to be attached to future requests. These authentication cookies are often not meant to be accessed by the web page sent to the user, and are instead just supposed to be attached to future requests to verify authentication details.

Vulnerable Code Example

JavaScript Example

// Setting a cookie without the HttpOnly flag leaves it vulnerable to XSS attacks
const express = require('express');
const app = express();

app.get('/login', (req, res) => {
    // Setting a cookie to store sensitive session data without HttpOnly
    res.cookie('sessionId', 'abc123', { secure: true });
    res.send('Logged in');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Explanation:

  • The above code sets a cookie named sessionId to store a user's session identifier.
  • The cookie is marked as secure, meaning it will only be sent over HTTPS.
  • Vulnerability: The lack of the HttpOnly flag means that the cookie can be accessed via JavaScript, making it susceptible to theft through XSS attacks. This is a critical security issue as it exposes sensitive session data to potential attackers.

To mitigate the risk of cookie theft via Cross-Site Scripting (XSS) attacks, sensitive cookies should be marked with the HttpOnly flag. This flag prevents the cookie from being accessed through JavaScript on the client side, thus enhancing the security of sensitive information stored in cookies.

Best Practices:

  1. Set the HttpOnly flag: Use the HttpOnly flag when setting cookies containing sensitive information.
  2. Use Secure flag: Ensure the cookie is sent only over HTTPS by using the secure flag.
  3. Set SameSite attribute: Consider using SameSite attribute to provide additional protection against cross-site request forgery (CSRF) attacks.

Fixed Code Example

const express = require('express');
const app = express();

app.get('/login', (req, res) => {
    // Set the cookie with HttpOnly, Secure, and SameSite flags to protect sensitive data
    res.cookie('sessionId', 'abc123', { 
        secure: true,   // Ensures the cookie is sent over HTTPS
        httpOnly: true, // Prevents JavaScript from accessing the cookie
        sameSite: 'Strict' // Helps mitigate CSRF attacks
    });
    res.send('Logged in');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Explanation:

  • Line {5-10}: The HttpOnly flag is added to prevent the cookie from being accessed via JavaScript, which is crucial for protecting against XSS attacks.
  • Line {5-10}: The sameSite attribute is set to Strict, further preventing the cookie from being sent with cross-site requests, reducing the risk of CSRF attacks.
  • These changes ensure that the session cookie is more secure and less likely to be compromised by common web vulnerabilities. By following these best practices, the security of the application is significantly enhanced.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag and get remediation guidance

Start for free and no credit card needed.