CWE-1004Sensitive Cookie Without 'HttpOnly' Flag

PUBLISHEDweakness recordMedium
released 2017-01-19 · last modified 2026-04-30
CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag - Diagram

Metadata

CWE ID:
CWE-1004
摘要:
Variant
结构:
Simple
状态:
Incomplete
发布日期:
2017-01-19
更新日期:
2026-04-30

名称

Sensitive Cookie Without 'HttpOnly' Flag

描述

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

常见后果

范围:
Confidentiality
影响:
Read Application Data
注释:
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
范围:
Integrity
影响:
Gain Privileges or Assume Identity
注释:
If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

相关 CWE

相关警报