HttpOnly Flag is an additional flag included in the set-cookie http response header. When a cookie does not have a httponly flag. So it can be accessed  through a javascript, which means an attacker can steal the cookies by an XSS attack.

HTTP cookies are used to identify specific users and improve user web browsing experience. The Cookie header stores the HTTP cookies previously sent by the web server with the Set-Cookie header. The session cookies are deleted when the browser closes the session and if the cookies are persistent cookies. Because they will expire at the time defined by browser.

The possibility of client-side scripts accessing the protected cookie can be reduced by including an additional “HttpOnly” flag in the HTTP response header. As a result, the browser will not reveal the cookie to a third party. So even if a cross-site scripting (XSS) flaw exists in the web application. If there is a ssl cookie without secure flag set there is a chance for information leakage. Because during a cross-site scripting attack, an attacker might easily access cookies and using these he may hijack the victim’s session. An attacker can grab the sensitive information contained in the cookie.

Tested in Apache Web Server 2.4. Browse the URL and Look at the Response Header and can be checked the Cookie info.

Solution

• Ensure to enabled mod_headers in Apache HTTP server.
• Set Header Set-Cookie HttpOnly;Secure. 
• This prevents XSS attacks attempting to capture the cookies and possibly leaking sensitive information or allowing the attacker to impersonate the user.
• The HTTP TRACE method combined with XSS can read the authentication cookie, even if the HttpOnly flag is used. So make sure that the HTTP TRACE method is disabled.

Browse the URL and Look at the Response Header and it can be seen HttpOnly flag updated.

conclusion

Fixing HttpOnly flag alone is not going to protect your website from all the security threats. Ensure to follow Web Application security checklist and leverage eCyLabs Web Application Firewall could protect from this kind of issues at the Firewall level.

---

Leverage eCyLabs ASPM to get 360 degree view of your application security posture from code to cloud. Our Marketplace approach is cost-effective and efficient way for security and compliance monitoring.