This site does not specify the HTTPOnly flag for session cookies.
In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by Cross-Site Scripting (XSS) attacks. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.
Recommendation
This site does not specify the HTTPOnly flag for its session cookie. In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by a Cross-Site Scripting (XSS) attack. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.
Vulnerability ID: M6Z3-L55A-1TDK-MKJP
Application Name: apple
Application Code: AAPL
Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/3c77ce97-6b6e-4335-ba9c-cba8465cae64/vulns/M6Z3-L55A-1TDK-MKJP
What Happened?
The HttpCookie created in following call from in Response.java did not contain the HttpOnly flag:
response.addHeader("Set-Cookie","JSESSIONID=8EF331C20B58C9D992E49BD3EC8FBB30; Pa...")
What's the risk?
This site does not specify the HTTPOnly flag for session cookies.
In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by Cross-Site Scripting (XSS) attacks. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.
Recommendation
This site does not specify the HTTPOnly flag for its session cookie. In most browsers, the HTTPOnly flag prevents a user's cookie from being accessed by various client side scripts, including malicious scripts inserted by a Cross-Site Scripting (XSS) attack. Setting this cookie attribute does not eliminate XSS vulnerabilities, but does reduce the likelihood that an XSS vulnerability can be used to extract valuable application based session and/or authentication cookies from the victim's browser.
First Event
Last Event
HTTP Request
GET http://localhost:8080/WebGoat/start.mvc HTTP/1.0 Accept-Language: en-US,en;q=0.5 Cookie: JSESSIONID=C374F6C1E28940B44A311888295B2855; AJS.conglomerate.cookie="|config.sidebar.planNavigator.expanded=true|tabContainer.tabContainer.selectedTab=Capabilities|tabContainer.remote-agents-tabs.selectedTab=Online remote agents"; language=en Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:74.0) Gecko/20100101 Firefox/74.0 Upgrade-Insecure-Requests: 1 Connection: keep-alive Cache-Control: max-age=0 Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
References
https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management