Security Issues reported for 192.168.2.3
xmltec-xmlmail (9091/tcp)
Medium (CVSS: 5.0)
NVT: Missing httpOnly Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)
Result:
The cookies: Set-Cookie: JSESSIONID=6ib0auzolp564mh73rkjvxil;Path=/ are missing the httpOnly attribute.
Impact
Application
Solution
Set the ‘httpOnly’ attribute for any session cookies.
Vulnerability Insight
The flaw is due to a cookie is not using the ‘httpOnly’ attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
Vulnerability Detection Method
Check all cookies sent by the application for a missing ‘httpOnly’ attribute
References
Other:
https://www.owasp.org/index.php/HttpOnly
https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002