Web Application Cookies Not Marked HttpOnly

info Nessus Plugin ID 85601


HTTP session cookies might be vulnerable to cross-site scripting attacks.


The remote web application sets various cookies throughout a user's unauthenticated and authenticated session. However, one or more of those cookies are not marked 'HttpOnly', meaning that a malicious client-side script, such as JavaScript, could read them. The HttpOnly flag is a security mechanism to protect against cross-site scripting attacks, which was proposed by Microsoft and initially implemented in Internet Explorer. All modern browsers now support it.

Note that this plugin detects all general cookies missing the HttpOnly cookie flag, whereas plugin 48432 (Web Application Session Cookies Not Marked HttpOnly) will only detect session cookies from an authenticated session missing the HttpOnly cookie flag.


Each cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.

If possible, add the 'HttpOnly' attribute to all session cookies and any cookies containing sensitive data.

See Also


Plugin Details

Severity: Info

ID: 85601

File Name: http_generic_httponly_cookies.nasl

Version: Revision: 1.1

Type: remote

Family: Web Servers

Published: 8/24/2015

Updated: 8/24/2015

Reference Information

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990