WSTG-V42-SESS-02 on ZAP /alerttags/wstg-v42-sess-02/ Recent content in WSTG-V42-SESS-02 on ZAP Hugo en-us Cookie No HttpOnly Flag /docs/alerts/10010/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10010/ <p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p> Cookie Slack Detector /docs/alerts/90027/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/90027/ <p>Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.</p> Cookie with Invalid SameSite Attribute /docs/alerts/10054-3/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10054-3/ <p>A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a &lsquo;cross-site&rsquo; request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p> Cookie with SameSite Attribute None /docs/alerts/10054-2/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10054-2/ <p>A cookie has been set with its SameSite attribute set to &ldquo;none&rdquo;, which means that the cookie can be sent as a result of a &lsquo;cross-site&rsquo; request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p> Cookie without SameSite Attribute /docs/alerts/10054-1/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10054-1/ <p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a &lsquo;cross-site&rsquo; request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p> Cookie Without Secure Flag /docs/alerts/10011/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/10011/ <p>A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.</p> Loosely Scoped Cookie /docs/alerts/90033/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/alerts/90033/ <p>Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. <a href="http://www.nottrusted.com">www.nottrusted.com</a>, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.</p>