ZAP – Cookie Without Secure Flag

Details
Alert ID	10011
Alert Type	Passive
Status	release
Risk	Low
CWE	614
WASC	13
Technologies Targeted	All
Tags	CWE-614 OWASP_2017_A06 OWASP_2021_A05 POLICY_DEV_STD POLICY_PENTEST POLICY_QA_STD SYSTEMIC WSTG-V42-SESS-02
More Info	Scan Rule Help

Summary

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.

Other Info

References

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Code

org/zaproxy/zap/extension/pscanrules/CookieSecureFlagScanRule.java