You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

OWASP Zap Output

Description:

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Nikto

+ Cookie <cookiename> created without the secure flag

Nessus Output

Web Application Cookies Not Marked Secure
Plugin ID: 85602

Description

The remote web application sets various cookies throughout a user’s unauthenticated and authenticated session. However, there are instances where the application is running over unencrypted HTTP or the cookies are not marked ‘secure’, meaning the browser could send them back over an unencrypted link under certain circumstances. As a result, it may be possible for a remote attacker to intercept these cookies.

Note that this plugin detects all general cookies missing the ‘secure’ cookie flag, whereas plugin 49218 (Web Application Session Cookies Not Marked Secure) will only detect session cookies from an authenticated session missing the secure cookie flag.

Solution

Each cookie should be carefully reviewed to determine if it contains sensitive data or is relied upon for a security decision.

If possible, ensure all communication occurs over an encrypted channel and add the ‘secure’ attribute to all session cookies or any cookies containing sensitive data.

Report

Include the following information in the final report:

• Name of the Website or WebApplication
• The name of the cookie
• A sample request and reponse

References

• https://www.owasp.org/index.php/SecureFlag
• http://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)