Security Test: Cookie Security¶

Description¶

Default Severity:

Cookies not secured with the proper flags can be easily intercepted or read by malicious scripts, which could allow attackers to hijack sessions or steal sensitive session data. This happens when cookies are sent over unencrypted connections or are accessible to JavaScript, leaving them exposed to various attacks. Developers commonly overlook setting flags that restrict cookie access, so if cookies aren’t properly secured, it can lead to significant issues like unauthorized access and session hijacking.

Reference:

https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html

Configuration¶

Identifier: protocol/header_set_cookie

Examples¶

All configuration available:

checks:
  protocol/header_set_cookie:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.1`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`614`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
CVSS Score	`6.1`