SESSION COOKIE NOT HTTP ONLY

Feature Value
Type Detection
Risk OWASP A6
Covered by Agent

According to the Secure Windows Initiative group at Microsoft, the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HTTPOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.

If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client-side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's website.

More information

How to solve it

If possible, activate httpOnly flag on cookie to reduce XSS attacks.

Cookie cookie = new Cookie("foo", "bar"); // Create cookie
cookie.setHttpOnly(true);                 // HttpOnly cookie