You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.
OWASP Zap Output
+ Cookie <cookiename> created without the httponly flag
Web Application Cookies Not Marked HttpOnly
Plugin ID: 85601
Note that this plugin detects all general cookies missing the HttpOnly cookie flag, whereas plugin 48432 (Web Application Session Cookies Not Marked HttpOnly) will only detect session cookies from an authenticated session missing the HttpOnly cookie flag.
Each cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.
If possible, add the ‘HttpOnly’ attribute to all session cookies and any cookies containing sensitive data.
In IIS set the following configuration in the web.config
<configuration> <system.web> <httpCookies httpOnlyCookies="true" /> </system.web> </configuration>
Include the following information in the final report:
- Name of the Website or WebApplication
- The name of the cookie
- A sample request and reponse