Forum Thread: Difference Between XSS - Session Cookie Without Secure Flag HTTPonly ?

Difference Between XSS - Session Cookie Without Secure Flag HTTPonly ?

Hello everyone.

I have an online site created in ASP.NET and put online for only a week, I decided to scan it first with web scanner "VEGA" and a second time with "Acunetix Web SCANNER."

After analysis, "ACCUNETIX" signals as a result "Hight" the site is vulnerable to XSS scanner unlike the "VEGA" which says the site is vulnérale the Session Cookie Without Secure Flag HTTPonly.

So do you think that an XSS vulnerability and Session Cookie Without Secure Flag HTTPonly vulnerability are the same or there there is a difference between these 2 vulnerabilities (XSS and Session Cookie Without Secure Flag HTTPonly) since 2 Web Scanner found 2 different results ???

Do you think a hacker can hack a vulnerable web site Session Cookie Without Secure Flag HTTPonly exploiting XSS vulnerabilities ???

What is the Difference Between XSS and Session Cookie Without Secure Flag HTTPonly ?

Thank you for informing me.

1 Response

There certainly is a difference between XSS and Session cookie without secure flag. You have two separate issues.

XSS vulnerabilities allow an attacker to inject client side script into webpages.

Session cookie without secure flag means the website will send the cookie over http or plain text. Setting the secure flag ensures the cookie will only be sent over a secured https connection.

Depending on both the type of XSS and the information contained in the session cookie a hacker may be able to compromise the site. Obtaining session cookies is a common goal of XSS. However the secure flag being set on the cookie isn't what is going to make the difference for obtaining it via the XSS.

Share Your Thoughts

  • Hot
  • Active