cookie flag HttpOnly not set
According to Michael Howard, Senior Security Program Manager in the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.
At a glance: Make it easy for an attacker to steal your cookie from your session.
FIX
Java
Cookie cookie = getMyCookie("myCookieName"); cookie.setHttpOnly(true);
or
<session-config> <cookie-config> <http-only>true</http-only> </cookie-config> </session-config>
or
String sessionid = request.getSession().getId(); // be careful overwriting: JSESSIONID may have been set with other flags response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
Tomcat
<Context path="/myWebApplicationPath" useHttpOnly="true">
JBoss
<Context cookies="true" crossContext="true"> <SessionCookie secure="true" httpOnly="true" />
.NET
web.config:
<httpCookies httpOnlyCookies="true" …>
or
HttpCookie myCookie = new HttpCookie("myCookie"); myCookie.HttpOnly = true; Response.AppendCookie(myCookie);