Script http-cookie-flags

Script types: portrule
Categories: default, safe, vuln
Download: https://svn.nmap.org/nmap/scripts/http-cookie-flags.nse

Script Summary

Examines cookies set by HTTP services. Reports any session cookies set without the httponly flag. Reports any session cookies set over SSL without the secure flag. If http-enum.nse is also run, any interesting paths found by it will be checked in addition to the root.

See also:

• http-enum.nse
• http-security-headers.nse

Script Arguments

cookie

Specific cookie name to check flags on. Default: A variety of commonly used session cookie names and patterns.

path

Specific URL path to check for session cookie flags. Default: / and those found by http-enum.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 443 --script http-cookie-flags <target>

Script Output

443/tcp open  https
| http-cookie-flags:
|   /:
|     PHPSESSID:
|       secure flag not set and HTTPS in use
|   /admin/:
|     session_id:
|       secure flag not set and HTTPS in use
|       httponly flag not set
|   /mail/:
|     ASPSESSIONIDASDF:
|       httponly flag not set
|     ASP.NET_SessionId:
|_      secure flag not set and HTTPS in use

Requires

• http
• shortport
• stdnse
• string

---

Author:

• Steve Benson

License: Same as Nmap--See https://nmap.org/book/man-legal.html