This script is Copyright (C) 2015 Tenable Network Security, Inc.
HTTP session cookies might be vulnerable to cross-site scripting
The remote web application sets various cookies throughout a user's
unauthenticated and authenticated session. However, one or more of
those cookies are not marked 'HttpOnly', meaning that a malicious
flag is a security mechanism to protect against cross-site scripting
attacks, which was proposed by Microsoft and initially implemented in
Internet Explorer. All modern browsers now support it.
Note that this plugin detects all general cookies missing the HttpOnly
cookie flag, whereas plugin 48432 (Web Application Session Cookies
Not Marked HttpOnly) will only detect session cookies from an
authenticated session missing the HttpOnly cookie flag.
See also :
Each cookie should be carefully reviewed to determine if it contains
sensitive data or is relied upon for a security decision.
If possible, add the 'HttpOnly' attribute to all session cookies
and any cookies containing sensitive data.
Risk factor :
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now