Cookie not Marked as HttpOnly Identified on Target Web Application
Netsparker identified a cookie not marked as HTTPOnly.
HTTPOnly cookies cannot be read by client-side scripts, therefore marking a cookie as HTTPOnly can provide an additional layer of protection against cross-site scripting attacks.
During a cross-site scripting attack, an attacker might easily access cookies and hijack the victim's session.
Actions to Take
- See the remedy for solution.
Mark the cookie as HTTPOnly. This will be an extra layer of defense against XSS. However this is not a silver bullet and will not protect the system against cross-site scripting attacks. An attacker can use a tool such as XSS Tunnel
to bypass HTTPOnly protection.