Details
Alert Id 10010
Alert Type Passive
Status release
Risk Low
CWE 1004
WASC 13
Technologies Targeted All
Tags OWASP_2017_A06
OWASP_2021_A05
WSTG-V42-SESS-02

Summary

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Solution

Ensure that the HttpOnly flag is set for all cookies.

References

Code

org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java