Cookie - HttpOnly Attribute Is Not Set

In this blog, we will discuss how a cookie becomes vulnerable when the HttpOnly attribute is not set especially when it contains sensitive information like SessionId.

Let's first understand the problem statement using the below scenario.

As a part of security risk and compliance, your security team has asked you to scan the web workloads before the production gets live. When you ran the web scanner (say Qualys), you got the below error.
 
"CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
 
The next question is - What is the meaning of the above error?
 
Well, it means that there are security risks. So, what security risks does it actually have?
 

Security Risk/s

 
It is possible to steal or manipulate sensitive information and cookies, which might be used to impersonate as a legitimate user, allowing a hacker to gain access to your web workloads and to perform transactions as that user.
 
Cause
 
The web workloads (website/web application) having a cookie with sensitive information without the HttpOnly attribute.
 
The next question that comes into our mind is how can we remediate the above issue.
 
Remediation
 
Add the 'HttpOnly' attribute to all the sensitive information kept in the cookie such as SessionId etc.
 

Description - HttpOnly Attribute

 
Usually, cookies are created by a server, passed to the browser and then passed back. With a lot of enhancements at the JS side, it is possible to create and manipulate cookies at the client side.
 
HttpOnly attribute can be set on the cookie created at the server side not at client-side. Once HttpOnly attribute is set, cookie value can't be accessed by client-side JS which makes cross-site scripting attacks slightly harder to exploit by preventing them from capturing the cookie's value via an injected script. You should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
 
The below example shows the syntax used within the HTTP response header, 
  1. Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>]  
  2. [; path=<some_path>][; secure][; HttpOnly]   
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script. If a browser does not support HttpOnly and a website attempts to set an HttpOnly cookie, the HttpOnly flag will be ignored by the browser, thus creating a traditional, script accessible cookie. As a result, the cookie becomes vulnerable to theft of modification by malicious script.  
 
Reference used
 
https://cwe.mitre.org/data/definitions/1004.html