gitlab.security_code_scan.SCS0009-1

unknown
Download Count*
License

The HttpOnly flag is not set for the cookie. An attacker could perform XSS with a malicious script.

Run Locally

Run in CI

Defintion

rules:
  - id: security_code_scan.SCS0009-1
    mode: taint
    pattern-sources:
      - pattern: |
          var $COOKIE = new HttpCookie(...);
    pattern-sinks:
      - pattern: $COOKIE
    pattern-sanitizers:
      - pattern: $COOKIE.HttpOnly = true;
    message: >
      The HttpOnly flag is not set for the cookie. An attacker could perform XSS
      with a malicious

      script.
    languages:
      - csharp
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
      license: MIT