This script is Copyright (C) 2010-2015 Tenable Network Security, Inc.
HTTP session cookies might be vulnerable to cross-site scripting
However, one or more of those cookies are not marked 'HttpOnly',
'HttpOnly' is a security mechanism to protect against cross-site
scripting attacks that was proposed by Microsoft and initially
implemented in Internet Explorer. All modern browsers support it.
Note that :
- 'HttpOnly' can be circumvented in some cases.
- The absence of this attribute does not mean that the web
application is automatically vulnerable to cross-site
- Some web applications need to manipulate the session
cookie through client-side scripts and the 'HttpOnly'
attribute cannot be set.
See also :
If possible, add the 'HttpOnly' attribute to all session cookies.
Risk factor :
Medium / CVSS Base Score : 4.3