SYM_GO_0017 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The code is creating session cookies without setting the 'Secure' flag to true. This means cookies can be sent over unencrypted HTTP connections, making them vulnerable to interception.
Impact
If the 'Secure' flag is missing, attackers on the same network can capture session cookies via unsecured connections, potentially hijacking user sessions and gaining unauthorized access to sensitive parts of the application.