SYM_PY_0231 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Sensitive Cookie Without 'HttpOnly' Flag
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Pyramid AuthTkt cookie is being set without the 'httponly' flag enabled. This makes the authentication cookie accessible to client-side scripts, increasing the risk of it being stolen through cross-site scripting (XSS) attacks.
Impact
If exploited, an attacker could steal a user's authentication cookie via malicious scripts, potentially allowing them to hijack user sessions and gain unauthorized access to sensitive parts of your application. This compromises user data and could lead to further attacks within your system.