DerScanner
Home / Vulnerability Database / Rust : Cookie: not http_only
Rust

Rust : Cookie: not http_only

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session Management
OWASP Mobile Top 10 2016
M2-Insecure Data Storage
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP ASVS
Session Management
PCI DSS 4.0
6.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-732CWE-1004CWE-1028
CWE/SANS Top 25 2011
CWE-732
CWE/SANS Top 25 2021
CWE-732

Overview

The application uses cookies without the property http_only set to true. http_only ensures that cookies are only transferred over HTTP. It protects them from being stolen via JavaScript-code (XSS).

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Top 10 2017 A2-Broken Authentication
  2. OWASP Top 10 2013-A5-Security Misconfiguration
  3. Origin Cookies: Session Integrity for Web Applications (pdf)
  4. CookieBuilder - RUST
LOW

DerScanner Severity Score

Do you want to fix Rust : Cookie: not http_only in your application?

See also

Rust

Rust : Buffer overflow

Rust

Rust : Empty salt

Rust

Rust : Hardcoded salt