Web Application Session Cookies Not Marked HttpOnly

This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

HTTP session cookies might be vulnerable to cross-site scripting
attacks.

Description :

The remote web application uses cookies to track authenticated users.
However, one or more of those cookies are not marked 'HttpOnly',
meaning that a malicious client-side script such as JavaScript could
read them.

'HttpOnly' is a security mechanism to protect against cross-site
scripting attacks that was proposed by Microsoft and initially
implemented in Internet Explorer. All modern browsers support it.

Note that :

- 'HttpOnly' can be circumvented in some cases.

- The absence of this attribute does not mean that the web
application is automatically vulnerable to cross-site
scripting attacks.

- Some web applications need to manipulate the session
cookie through client-side scripts and the 'HttpOnly'
attribute cannot be set.

See also :

http://www.nessus.org/u?916b20e4
http://www.nessus.org/u?6752aae7

Solution :

If possible, add the 'HttpOnly' attribute to all session cookies.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Family: Web Servers

Nessus Plugin ID: 48432 (http_xss_session_cookie.nasl)

Bugtraq ID:

CVE ID: