Details
Alert ID 100003
Alert Type Script Passive
Status alpha
Risk Low
CWE
WASC 13
Technologies Targeted All
Tags
More Info Scan Rule Help

Summary

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Solution

Ensure that the HttpOnly flag is set for all cookies.

Other Info

References

Code

passive/CookieHTTPOnly.js