Leverage the HttpOnly flag when setting a sensitive cookie in a response. Effectiveness: High Note: While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XmlHttpResponse to read the headers directly and obtain the cookie.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
No relationship information available for this CWE.
CWE-1004: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-1004 (CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag) it can compromise Read Application Data and Gain Privileges or Assume Identity, leading to outcomes such as Scope: Confidentiality If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties., Scope: Integrity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g. and a session ID) and assume the identity of the user..
Recommended mitigations for CWE-1004 include: Leverage the HttpOnly flag when setting a sensitive cookie in a response. Effectiveness: High Note: While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XmlHttpResponse to read the headers directly and obtain the cookie.
CWE-1004 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-1004 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.