Sensitive cookie missing HttpOnly attribute — CodeQL query help documentation CodeQL docs

CodeQL resources

Sensitive cookie missing HttpOnly attribute¶

ID: py/client-exposed-cookie
Kind: problem
Security severity: 5.0
Severity: warning
Precision: high
Tags:
   - security
   - external/cwe/cwe-1004
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Cookies without the HttpOnly flag set are accessible to JavaScript running in the same origin. In case of a Cross-Site Scripting (XSS) vulnerability, the cookie can be stolen by a malicious script. If a sensitive cookie does not need to be accessed directly by client-side JS, the HttpOnly flag should be set.

Recommendation¶

Set httponly to True, or add ; HttpOnly; to the cookie’s raw header value, to ensure that the cookie is not accessible via JavaScript.

Example¶

In the following examples, the cases marked GOOD show secure cookie attributes being set; whereas in the case marked BAD they are not set.

from flask import Flask, request, make_response, Response


@app.route("/good1")
def good1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", secure=True, httponly=True, samesite='Strict') # GOOD: Attributes are securely set
    return resp


@app.route("/good2")
def good2():
    resp = make_response()
    resp.headers['Set-Cookie'] = "sessionid=value; Secure; HttpOnly; SameSite=Strict" # GOOD: Attributes are securely set 
    return resp

@app.route("/bad1")
def bad1():
    resp = make_response()
    resp.set_cookie("sessionid", value="value", samesite='None') # BAD: the SameSite attribute is set to 'None' and the 'Secure' and 'HttpOnly' attributes are set to False by default.
    return resp

References¶

PortSwigger: Cookie without HttpOnly flag set
MDN: Set-Cookie.
Common Weakness Enumeration: CWE-1004.

© GitHub, Inc.
Terms
Privacy