Description
The NodeGoat application has session cookies configured without critical security flags, making them vulnerable to XSS-based session hijacking.
Location
NodeGoat/server.js:78-100
Current Code
app.use(session({
secret: cookieSecret,
saveUninitialized: true,
resave: true
// Missing: cookie: { httpOnly: true, secure: true }
}));Risk
- Severity: High
- OWASP: A2:2017 - Broken Authentication
- CWE: CWE-614 (Sensitive Cookie in HTTPS Session Without Secure Attribute)
Remediation
Add secure cookie configuration:
cookie: {
httpOnly: true,
secure: true,
sameSite: "strict",
maxAge: 3600000
}Note
This is intentionally vulnerable for training purposes but should be documented.
Description
The NodeGoat application has session cookies configured without critical security flags, making them vulnerable to XSS-based session hijacking.
Location
NodeGoat/server.js:78-100Current Code
Risk
Remediation
Add secure cookie configuration:
Note
This is intentionally vulnerable for training purposes but should be documented.