Cookie Values Used in Anti-CSRF Token

Summary

Netsparker identified a cookie used as Anti-CSRF Token.

Impact

During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session even if cookie is marked as HttpOnly. If the cookie is not the session cookie you can ignore this issue.

Remediation

Avoid the usage of session cookie as Anti-CSRF Token.

Classifications

OWASP 2013-A5

Netsparker Security Insights

SameSite Cookies by Default in Chrome 76 and Above
Introducing the Security of Cookies Whitepaper
Cross Site Cookie Manipulation
Analyzing Impact of WWW Subdomain on Cookie Security
Using the Same-Site Cookie Attribute to Prevent CSRF Attacks

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Critical
High
Medium
Low
Information
Best Practice

Search Vulnerability

Tags

Related Vulnerabilities

Blind SQL Injection
SQL Injection
Local File Inclusion
Misconfigured Access-Control-Allow-Origin Header
Missing X-Frame-Options Header

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO