Configuration Management / SSL/TLS Cookie without Httponly Flag

Description

SSL/TLS Cookie without HttpOnly Flag is a configuration management vulnerability (CWE-614) that allows an attacker to access cookies that are transmitted over an encrypted SSL/TLS connection. This vulnerability is present when web and API applications are not configured to use the HttpOnly flag on cookies, which prevents the cookie from being accessed by JavaScript. This vulnerability can be exploited by an attacker to gain access to sensitive information stored in the cookie, such as session identifiers and authentication tokens. Reference to the OWASP Testing Guide can be found here.

Risk

This vulnerability poses a high risk to web and API applications, as it allows an attacker to access sensitive information that is transmitted over an encrypted connection. This can allow an attacker to gain access to authentication tokens and session identifiers, which could lead to the attacker taking full control of a user's account.

Solution

The solution to this vulnerability is to configure web and API applications to use the HttpOnly flag on cookies, which prevents them from being accessed by JavaScript. This can be done by setting the "httponly" flag on the cookie in the application's configuration file. Additionally, the application should be configured to set the "secure" flag on any cookies that are transmitted over an encrypted connection.