-
Type:
Bug
-
Status: In Development
-
Priority:
Low
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:Production
-
Bug Severity:Low
-
Level:Admin, Employee, Partner
-
Module:BenAdmin - Security
-
Reported by:Harbinger
-
Company:All Clients/Multiple Clients
-
Item State:Development - In Analysis
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
For more details please refer attached HTML report
CC SamirRakesh RoyJaideep Vinchurkaranirudha joshi
SearchEmp_Spider.html
- relates to
-
NF-2714 Vulnerability Assessment and Penetration Testing for Workterra on Azure US environment.
-
- To Do
-
This Will be on-hold till we do not plan it for development in upcoming sprint.
Please plan it in future sprints.
Yes, we need to take care of this. While development we need to handle this such way that, we should pass a cookie value from server side code to function in java script code , so that after making 'IdForLoginValidation' cookie as HTTPOnly, there will not be an issue while reading this cookie value in java script, as currently we are accessing this cookie inside WORKTERRALogin.js to check user session.