Configuration Management / SSL/TLS Cookie without Httponly Flag

Description

SSL/TLS Cookie without HttpOnly Flag is a configuration management vulnerability (CWE-1004) that allows an attacker to access sensitive cookies. This vulnerability is present when web and API applications are not configured to use the HttpOnly flag on cookies, which prevents the cookie from being accessed by JavaScript. This vulnerability can be exploited by an attacker to gain access to sensitive information stored in the cookie, such as session identifiers and authentication tokens. The OWASP Web Testing Guide recommends testing for this vulnerability in WSTG-SESS-02.

Risk

This vulnerability poses a high risk to web and API applications, as it allows an attacker to access sensitive information that is transmitted over an encrypted connection. This can allow an attacker to gain access to authentication tokens and session identifiers, which could lead to the attacker taking full control of a user's account.

Solution

The solution to this vulnerability is to configure web and API applications to use the "HttpOnly" flag on cookies, which prevents them from being accessed by JavaScript. Additionally, the application should be configured to set the "Secure" flag on any cookies that are transmitted over an encrypted connection.