CWE-1004 没有'HttpOnly'标志的敏感Cookie
Sensitive Cookie Without 'HttpOnly' Flag
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: Medium
基本描述
The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
扩展描述
The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.
相关缺陷
- cwe_Nature: ChildOf cwe_CWE_ID: 732 cwe_View_ID: 1000 cwe_Ordinal: Primary
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Application Data | If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties. |
| Integrity | Gain Privileges or Assume Identity | If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user. |
可能的缓解方案
Implementation
策略:
Leverage the HttpOnly flag when setting a sensitive cookie in a response.
示例代码
例
In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
The snippet of code below establishes a new cookie to hold the sessionID.
bad Java
Cookie c = new Cookie("session_id", sessionID);
response.addCookie(c);
The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:
attack JavaScript
When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.
To mitigate the risk, use the setHttpOnly(true) method.
good Java
Cookie c = new Cookie("session_id", sessionID);
c.setHttpOnly(true);
response.addCookie(c);
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2014-3852 | CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie. | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3852 |
| CVE-2015-4138 | Appliance for managing encrypted communications does not use HttpOnly flag. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4138 |