Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-902

Admin Console is not using HttpOnly attribute in cookies

    XMLWordPrintable

    Details

      Description

      xmltec-xmlmail (9091/tcp)

      Medium (CVSS: 5.0)

      NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)

      Result:

      The cookies: Set-Cookie: JSESSIONID=6ib0auzolp564mh73rkjvxil;Path=/ are missing the httpOnly attribute.

      Impact
      Application
      Solution

      Set the 'httpOnly' attribute for any session cookies.

      Vulnerability Insight

      The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

      Vulnerability Detection Method

      Check all cookies sent by the application for a missing 'httpOnly' attribute

      References

      Other: https://www.owasp.org/index.php/HttpOnly
      https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

        Attachments

          Activity

            People

            Assignee:
            dwd Dave Cridland
            Reporter:
            wroot wroot
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: