Details
Alert Id 10010
Alert Type Passive Scan Rule
Status release
Risk Low
CWE 16
WASC 13

Summary

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Solution

Ensure that the HttpOnly flag is set for all cookies.

References

Code

org/zaproxy/zap/extension/pscanrules/CookieHttpOnlyScanRule.java