CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

Variant Incomplete Simple

CWE版本: 4.18

更新日期: 2025-09-09

弱点描述

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

扩展描述

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

常见后果

影响范围: Confidentiality

技术影响: Read Application Data

说明: If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.

影响范围: Integrity

技术影响: Gain Privileges or Assume Identity

说明: If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

潜在缓解措施

阶段: Implementation

描述: Leverage the HttpOnly flag when setting a sensitive cookie in a response.

有效性: High

检测方法

方法: Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

有效性: High

观察示例

参考: CVE-2022-24045

Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.

参考: CVE-2014-3852

CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.

参考: CVE-2015-4138

Appliance for managing encrypted communications does not use HttpOnly flag.

引入模式

阶段	说明
Implementation	-

适用平台

编程语言

Not Language-Specific (Undetermined)

技术

Web Based (Undetermined)

关键信息

CWE ID: CWE-1004

抽象级别: Variant

结构: Simple

状态: Incomplete

利用可能性: Medium