Cobalt Logo
Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
CORS (Cross-Origin Resource Sharing) CORS (Cross-Origin Resource Sharing) Vulnerability Leaking Sensitive DataEmail Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain Enabled HTTP PUT method leads to create malicious file on the server Lack of Security Headers Mail Server Misconfiguration - Missing or Misconfigured SPF and/or DKIM Mail Server Misconfiguration - No Spoofing Protection on Email Domain Misconfigured DNS - Missing Certification Authority Authorization (CAA) Record Misconfigured DNS - Zone Transfer Missing Secure or HTTPOnly Cookie Flag Missing Strict Transport Security Header (HSTS) Missing X-Frame-Options Header Out-Of-Date Component in use Server Banner Disclosure Weak Content-Security-Policy Webserver Default Page Reveals Internal Info (Nginx, IIS)
Arrow Left

V14 - Config

Missing Secure or HTTPOnly Cookie Flag

POC

- Intercept the HTTP request


- Observe that the Set-Cookie is missing the 'Secure' or/and 'HttpOnly' flags.




Impact

Very Low



Likelihood

Very Low


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped