Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3330

Creating cookies without the "HttpOnly" flag is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure creating this cookie without the "HttpOnly" flag is safe.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      Objective-C, Swift, VB.Net, XML
    • Covered Languages:
      C#, Java, JavaScript, PHP, Python
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-79, CWE-1004
    • OWASP:
      A7
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindSecBugs:
      HTTPONLY_COOKIE

      Description

      When a cookie is configured with the HttpOnly attribute set to true, the browser guaranties that no client-side script will be able to read it. In most cases, when a cookie is created, the default value of HttpOnly is false and it's up to the developer to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target the theft of session-cookies, the HttpOnly attribute can help to reduce their impact as it won't be possible to exploit the XSS vulnerability to steal session-cookies.

      Ask Yourself Whether

      • the cookie is sensitive, used to authenticate the user, for instance a session-cookie
      • the HttpOnly attribute offer an additional protection (not the case for an XSRF-TOKEN cookie / CSRF token for example)

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • By default the HttpOnly flag should be set to true for most of the cookies and it's mandatory for session / sensitive-security cookies.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4494 Language-Specification Active Unassigned
          2.
          C# RSPEC-4552 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4553 Language-Specification Active Unassigned
          4.
          XML RSPEC-5221 Language-Specification Active Unassigned
          5.
          Python RSPEC-5571 Language-Specification Active Unassigned
          6.
          Kotlin RSPEC-5575 Language-Specification Active Unassigned
          7.
          JavaScript RSPEC-5677 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: