gitlab.security_code_scan.SCS0009-1
unknown
Download Count*
License
The HttpOnly flag is not set for the cookie. An attacker could perform XSS with a malicious script.
Run Locally
Run in CI
Defintion
rules:
- id: security_code_scan.SCS0009-1
mode: taint
pattern-sources:
- pattern: |
var $COOKIE = new HttpCookie(...);
pattern-sinks:
- pattern: $COOKIE
pattern-sanitizers:
- pattern: $COOKIE.HttpOnly = true;
message: >
The HttpOnly flag is not set for the cookie. An attacker could perform XSS
with a malicious
script.
languages:
- csharp
severity: WARNING
metadata:
category: security
cwe: "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag"
license: MIT
Short Link: https://sg.run/39QK