Admin Console is not using HttpOnly attribute in cookies

Description

xmltec-xmlmail (9091/tcp)

Medium (CVSS: 5.0)

NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)

Result:

The cookies: Set-Cookie: JSESSIONID=6ib0auzolp564mh73rkjvxil;Path=/ are missing the httpOnly attribute.

Impact
Application
Solution

Set the 'httpOnly' attribute for any session cookies.

Vulnerability Insight

The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Vulnerability Detection Method

Check all cookies sent by the application for a missing 'httpOnly' attribute

References

Other: https://www.owasp.org/index.php/HttpOnly
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Environment

None

Activity

Show:
csh
December 4, 2015, 11:11 PM

I think this is fixed since 3.10.3

Fixed

Assignee

Dave Cridland

Reporter

wroot

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure