Sensitive server cookie exposed to the client¶
ID: js/client-exposed-cookieKind: problemSecurity severity: 5.0Severity: warningPrecision: highTags: - security - external/cwe/cwe-1004Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls
Click to see the query in the CodeQL repository
Authentication cookies stored by a server can be accessed by a client if thehttpOnly flag is not set.
An attacker that manages a cross-site scripting (XSS) attack can read the cookie and hijack the session.
Recommendation¶
Set thehttpOnly flag on all cookies that are not needed by the client.
Example¶
The following example stores an authentication token in a cookie that can be viewed by the client.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});
To force the cookie to be transmitted using SSL, set thesecure attribute on the cookie.
consthttp=require('http');constserver=http.createServer((req,res)=>{res.setHeader("Set-Cookie",`authKey=${makeAuthkey()}; secure; httpOnly`);res.writeHead(200,{'Content-Type':'text/html'});res.end('<h2>Hello world</h2>');});
References¶
ExpressJS:Use cookies securely.
Mozilla:Set-Cookie.
Common Weakness Enumeration:CWE-1004.