Web Application Cookies Not Marked HttpOnly

This script is Copyright (C) 2015 Tenable Network Security, Inc.

Synopsis :

HTTP session cookies might be vulnerable to cross-site scripting

Description :

The remote web application sets various cookies throughout a user's
unauthenticated and authenticated session. However, one or more of
those cookies are not marked 'HttpOnly', meaning that a malicious
client-side script, such as JavaScript, could read them. The HttpOnly
flag is a security mechanism to protect against cross-site scripting
attacks, which was proposed by Microsoft and initially implemented in
Internet Explorer. All modern browsers now support it.

Note that this plugin detects all general cookies missing the HttpOnly
cookie flag, whereas plugin 48432 (Web Application Session Cookies
Not Marked HttpOnly) will only detect session cookies from an
authenticated session missing the HttpOnly cookie flag.

See also :


Solution :

Each cookie should be carefully reviewed to determine if it contains
sensitive data or is relied upon for a security decision.

If possible, add the 'HttpOnly' attribute to all session cookies
and any cookies containing sensitive data.

Risk factor :


Family: Web Servers

Nessus Plugin ID: 85601 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now