SYM_PY_0235 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Sensitive Cookie Without 'HttpOnly' Flag
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
A response in your Pyramid application sets a cookie without explicitly setting the 'httponly' flag to True. This means the cookie can be accessed by client-side scripts in the browser.
Impact
If exploited, attackers could steal sensitive cookies through cross-site scripting (XSS), potentially gaining unauthorized access to user accounts or sensitive data. This weakens session security and increases the risk of account compromise.