Vulnerability scan shows positive for HttpOnly cookie, but is actually a false positive
search cancel

Vulnerability scan shows positive for HttpOnly cookie, but is actually a false positive


Article ID: 142478


Updated On:


CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager - Server Control (PAMSC)


I run vulnerability scans that sometimes show positive for one vulnerability or another. 

A recent vulnerability scan came up positive: "High: Missing `httpOnly` Cookie Attribute".





Vulnerability Detection Result: 

The cookies: 

Set-Cookiefromindexphp=***replaced***; path=/; Secure are missing the "httpOnly" attribute.
CVSS Base Vector:


InsightThe flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks. 

Affected Software/OS: Application with session handling in cookies. 

Vulnerability Detection Method: Check all cookies sent by the application for a missing 'httpOnly' attribute 

Summary:The application is missing the 'httpOnly' cookie attribute 

SolutionSet the 'httpOnly' attribute for any session cookie. 


Release : 3.3



The HttpOnly vulnerability is described as follows:  HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). ... When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server.

During vulnerability scans, this particular issue can cause false positives for certain URLs.  You can check the problem by using a browser to test.  You can use either IE or Chrome.  In both browsers there are tools that can show you whether the browsing is actually protecting you.  


To check for a vulnerability in your Chrome browser:

1- log into the url for the CAPAM address that had the issue.

2- click on the three vertical dots to the right in the browser bar.

3- select "More Tools/Developer Tools and a developer screen opens at the bottom of your screen.

4- If it is not already on the Application tab, select the Application tab.

5- in the left hand side, go down to Storage/Cookies and click on the arrow at Cookies so that the arrow is pointing down, and proceed to log into CAPAM.

6- the url for your CAPAM should appear under cookies, click on that url.

7- the result will show results of JSESSIONID (JSON) and PHPSESSID (PHP) for checked for HttpOnly and checked for Secure as well, meaning it is protected.


See the attached screenshot of the Chrome screen with the results of the Tools/Cookies page:


To use IE11 browser in the same way as Chrome, here is a procedure that will give you some similar output, but is not as informative as Chrome:


Additional Information

Results may vary due to the version of CAPAM, and the patch level installed. You may see a positive that actually is a vulnerability which means if you see your are not protected in the browser you are probably vulnerable.  You would check the released patches for a fix or you may need to upgrade.