CWE-1004: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

VariantStable

Description

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-1004: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag?+

CWE-1004: CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

What are the security consequences of CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag?+

If exploited, CWE-1004 (CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag) it can compromise Read Application Data and Gain Privileges or Assume Identity, leading to outcomes such as Scope: Confidentiality If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties., Scope: Integrity If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g. and a session ID) and assume the identity of the user..

How do you prevent or mitigate CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag?+

Recommended mitigations for CWE-1004 include: Leverage the HttpOnly flag when setting a sensitive cookie in a response. Effectiveness: High Note: While this mitigation is effective for protecting cookies from a browser's own scripting engine, third-party components or plugins may have their own engines that allow access to cookies. Attackers might also be able to use XmlHttpResponse to read the headers directly and obtain the cookie.

Which programming languages are affected by CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag?+

CWE-1004 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1004 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More