Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Cookie Without Http Only Flag High
The HttpOnly attribute when set to true protects the cookie value from being accessed by client side JavaScript such as reading the document.cookie values. By enabling this protection, a website that is vulnerable to Cross-Site Scripting (XSS) will be able to block malicious scripts from accessing the cookie value from JavaScript.
Detector ID
kotlin/sensitive-cookie-without-http-only-flag@v1.0
Category
Common Weakness Enumeration (CWE) 
Tags
-
Noncompliant example
1// Noncompliant: The `httponly` attribute of cookies is set to `false`
2fun noncompliant(value: String, response: HttpServletResponse) {
3 val cookie: Cookie = Cookie("cookie", value)
4 cookie.setHttpOnly(false)
5 response.addCookie(cookie)
6}
Compliant example
1// Compliant: The `httponly` attribute of cookies is set to `true`
2fun compliant(value: String, response: HttpServletResponse) {
3 val cookie: Cookie = Cookie("cookie", value)
4 cookie.setSecure(true)
5 cookie.setHttpOnly(true)
6 response.addCookie(cookie)
7}