CX HttpOnlyCookies @ src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java [refs/heads/master]

HttpOnlyCookies issue exists @ src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java in branch refs/heads/master

The web application's processRequest method creates a cookie privilege, at line 59 of src\main\java\org\cysecurity\cspf\jvl\controller\LoginValidator.java, and returns it in the response. However, the application is not configured to automatically set the cookie with the "httpOnly" attribute, and the code does not explicitly add this to the cookie.

Severity: Medium

CWE:1004

Vulnerability details and guidance

Checkmarx

Training Recommended Fix

Lines: 64 59 63

Code (Line #64):

                                       Cookie password=new Cookie("password",pass);

Code (Line #59):

                                   Cookie privilege=new Cookie("privilege","user");

Code (Line #63):

                                       Cookie username=new Cookie("username",user);

jvlstuff / JavaVulnerableLab

CX HttpOnlyCookies @ src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java [refs/heads/master] #185