Web Application Session Cookies Not Marked HttpOnly

This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.

Synopsis :

HTTP session cookies might be vulnerable to cross-site scripting

Description :

The remote web application uses cookies to track authenticated users.
However, one or more of those cookies are not marked 'HttpOnly',
meaning that a malicious client-side script such as JavaScript could
read them.

'HttpOnly' is a security mechanism to protect against cross-site
scripting attacks that was proposed by Microsoft and initially
implemented in Internet Explorer. All modern browsers support it.

Note that :

- 'HttpOnly' can be circumvented in some cases.

- The absence of this attribute does not mean that the web
application is automatically vulnerable to cross-site
scripting attacks.

- Some web applications need to manipulate the session
cookie through client-side scripts and the 'HttpOnly'
attribute cannot be set.

See also :


Solution :

If possible, add the 'HttpOnly' attribute to all session cookies.

Risk factor :

Medium / CVSS Base Score : 4.3

Family: Web Servers

Nessus Plugin ID: 48432 (http_xss_session_cookie.nasl)

Bugtraq ID: