Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      Sensitive Code Example

      If you create a security-sensitive cookie in your JAVA code:

      Cookie c = new Cookie(COOKIENAME, sensitivedata);
      c.setHttpOnly(false);  // Sensitive: this sensitive cookie is created with the httponly flag set to false and so it can be stolen easily in case of XSS vulnerability
      

      By default the HttpOnly flag is set to false:

      Cookie c = new Cookie(COOKIENAME, sensitivedata);  // Sensitive: this sensitive cookie is created with the httponly flag not defined (by default set to false) and so it can be stolen easily in case of XSS vulnerability
      

      Compliant Solution

      Cookie c = new Cookie(COOKIENAME, sensitivedata);
      c.setHttpOnly(true); // Compliant: this sensitive cookie is protected against theft (HttpOnly=true)
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: