Sensitive server cookie exposed to the client¶
ID: js/client-exposed-cookie Kind: problem Security severity: 5.0 Severity: warning Precision: high Tags: - security - external/cwe/cwe-1004 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls Click to see the query in the CodeQL repository
Authentication cookies stored by a server can be accessed by a client if the httpOnly flag is not set.
An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.
Recommendation¶
Set the httpOnly flag on all cookies that are not needed by the client.
Example¶
The following example stores an authentication token in a cookie that can be viewed by the client.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});To force the cookie to be transmitted using SSL, set the secure attribute on the cookie.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}; secure; httpOnly`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});References¶
ExpressJS: Use cookies securely.
OWASP: Set cookie flags appropriately.
Mozilla: Set-Cookie.
Common Weakness Enumeration: CWE-1004.
