ajinabraham.njsscan.headers.header_cookie.cookie_session_no_httponly
ajinabrahamAuthor
unknown
Download Count*
License
Session middleware settings: httpOnly is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
Run Locally
Run in CI
Defintion
rules:
- id: cookie_session_no_httponly
patterns:
- pattern-either:
- pattern-inside: |
$SESSION = require('cookie-session')
...
- pattern-inside: |
$SESSION = require('express-session')
...
- pattern-either:
- pattern-inside: $SESSION(<... {cookie:{httpOnly:false}} ...>,...)
- pattern-inside: |
$OPTS = <... {cookie:{httpOnly:false}} ...>;
...
$SESSION($OPTS,...)
- pattern-inside: |
$OPTS = ...;
...
$COOKIE = <... {httpOnly:false} ...>;
...
$SESSION($OPTS,...)
- pattern-inside: |
$OPTS = ...;
...
$OPTS.cookie = <... {httpOnly:false} ...>;
...
$SESSION($OPTS,...)
- pattern-inside: |
$OPTS = ...;
...
$COOKIE.httpOnly = false;
...
$SESSION($OPTS,...)
- pattern-inside: |
$OPTS = ...;
...
$OPTS.cookie.httpOnly = false;
...
$SESSION($OPTS,...)
message: "Session middleware settings: `httpOnly` is explicitly set to
false. It ensures that sensitive cookies cannot be accessed by client
side JavaScript and helps to protect against cross-site scripting
attacks."
severity: WARNING
languages:
- javascript
metadata:
cwe: cwe-1004
owasp-web: a2
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/y2ZR