Protocol: Cookie Security¶
Identifier:
header_set_cookie
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Cookies not secured with proper flags can be easily intercepted or read by malicious scripts, potentially allowing attackers to hijack sessions or steal sensitive session data.
How we test: We analyze Set-Cookie headers in responses to detect if cookies are missing security flags such as HttpOnly, Secure, or SameSite. We check if cookies are sent over unencrypted connections or are accessible to JavaScript, which could expose them to various attacks.
References:
- https://owasp.org/www-community/Security_Headers
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.