I have ran a vulnerability scan on UI3. There is a high risk vulnerability.
Missing `httpOnly` Cookie Attribute.
High: Missing `httpOnly` Cookie Attribute
Risk: High
Protocol: tcp
ScriptID: 105925
Vulnerability Detection Result: The cookies: Set-Cookie: session=***replaced***; path=/ are missing the "httpOnly" attribute.
Summary: The application is missing the 'httpOnly' cookie attribute
CVSS Base Vector: AV:N/AC:L/Au:N/C
/I:N/A:N
Solution: Set the 'httpOnly' attribute for any session cookie.
Vulnerability Detection Method: Check all cookies sent by the application for a missing 'httpOnly' attribute
Affected Software/OS: Application with session handling in cookies.
Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
References:
OWASP
HttpOnly
Testing for cookies attributes (OTG-SESS-002) - OWASP
CVSS Base Score: 5.0
Family name: Web application abuses
Category: infos
Copyright: Copyright (c) 2014 SCHUTZWERK GmbH
Summary: NOSUMMARY
Version: $Revision: 5270 $