Web Application Cookies Not Marked Secure
Info Nessus Plugin ID 85602
SynopsisHTTP session cookies might be transmitted in cleartext.
DescriptionThe remote web application sets various cookies throughout a user's unauthenticated and authenticated session. However, there are instances where the application is running over unencrypted HTTP or the cookies are not marked 'secure', meaning the browser could send them back over an unencrypted link under certain circumstances. As a result, it may be possible for a remote attacker to intercept these cookies.
Note that this plugin detects all general cookies missing the 'secure' cookie flag, whereas plugin 49218 (Web Application Session Cookies Not Marked Secure) will only detect session cookies from an authenticated session missing the secure cookie flag.
SolutionEach cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.
If possible, ensure all communication occurs over an encrypted channel and add the 'secure' attribute to all session cookies or any cookies containing sensitive data.