CWE-1004 Details

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag
Mittel
Incomplete
2017-01-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Benachrichtigungen für ein CWE
Bleiben Sie über alle Änderungen zu einem bestimmten CWE informiert.
Benachrichtigungen verwalten

Name: Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

CWE-Beschreibung

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Allgemeine Informationen

Hintergrundinformationen

Einführungsmodi

Implementation

Anwendbare Plattformen

Sprache

Class: Not Language-Specific (Undetermined)

Technologien

Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Häufige Konsequenzen

Bereich Auswirkung Wahrscheinlichkeit
ConfidentialityRead Application Data

Note: If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
IntegrityGain Privileges or Assume Identity

Note: If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Beobachtete Beispiele

Referenzen Beschreibung

CVE-2024-47833

python library for ML and data science does not use the HTTPOnly security attribute for session cookies

CVE-2022-24045

Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.

CVE-2014-3852

CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2015-4138

Appliance for managing encrypted communications does not use HttpOnly flag.

Mögliche Gegenmaßnahmen

Phases : Implementation
Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Erkennungsmethoden

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Wirksamkeit : High

Hinweise zur Schwachstellen-Zuordnung

Begründung : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Kommentar : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Referenzen

REF-2

HttpOnly
OWASP.
https://owasp.org/www-community/HttpOnly

REF-3

Some Bad News and Some Good News
Michael Howard.
https://learn.microsoft.com/en-us/previous-versions/ms972826(v=msdn.10)?redirectedfrom=MSDN

REF-4

C is for cookie, H is for hacker - understanding HTTP only and Secure cookies
Troy Hunt.
https://www.troyhunt.com/c-is-for-cookie-h-is-for-hacker/

REF-5

Mitigating Cross-site Scripting With HTTP-only Cookies
Microsoft.
https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN

REF-1490

Securing Cookies: Why You Should Always Set HttpOnly
Ajay Monga.
https://medium.com/@ajay.monga73/securing-cookies-why-you-should-always-set-httponly-92489cbf76c1

Einreichung

Name Organisation Datum Veröffentlichungsdatum Version
CWE Content Team MITRE 2017-01-02 +00:00 2017-01-19 +00:00 2.10

Änderungen

Name Organisation Datum Kommentar
CWE Content Team MITRE 2017-11-08 +00:00 updated Applicable_Platforms, References, Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Applicable_Platforms, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Observed_Examples, References, Relationships, Weakness_Ordinalities
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.