CWE-1004—Sensitive Cookie Without 'HttpOnly' Flag
PUBLISHEDweakness recordMedium
released 2017-01-19 · last modified 2026-04-30
Metadata
- CWE ID:
- CWE-1004
- 摘要:
- Variant
- 结构:
- Simple
- 状态:
- Incomplete
- 发布日期:
- 2017-01-19
- 更新日期:
- 2026-04-30
名称
Sensitive Cookie Without 'HttpOnly' Flag
描述
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
常见后果
- 范围:
- Confidentiality
- 影响:
- Read Application Data
- 注释:
- If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
- 范围:
- Integrity
- 影响:
- Gain Privileges or Assume Identity
- 注释:
- If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.