CWE-1004 没有'HttpOnly'标志的敏感Cookie

admin 2022年1月7日02:24:14CWE(弱点枚举)评论18 views2482字阅读8分16秒阅读模式

CWE-1004 没有'HttpOnly'标志的敏感Cookie

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium


The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.


The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.


  • cwe_Nature: ChildOf cwe_CWE_ID: 732 cwe_View_ID: 1000 cwe_Ordinal: Primary


范围 影响 注释
Confidentiality Read Application Data If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Integrity Gain Privileges or Assume Identity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.




Leverage the HttpOnly flag when setting a sensitive cookie in a response.


In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

bad Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

attack JavaScript


When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

good Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);


标识 说明 链接
CVE-2014-3852 CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-4138 Appliance for managing encrypted communications does not use HttpOnly flag.



特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
  • 本文由 发表于 2022年1月7日02:24:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CWE-1004 没有'HttpOnly'标志的敏感Cookie


匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: