Web Application Cookies Not Marked HttpOnly
Info Nessus Plugin ID 85601
SynopsisHTTP session cookies might be vulnerable to cross-site scripting attacks.
Note that this plugin detects all general cookies missing the HttpOnly cookie flag, whereas plugin 48432 (Web Application Session Cookies Not Marked HttpOnly) will only detect session cookies from an authenticated session missing the HttpOnly cookie flag.
SolutionEach cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.
If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data.