jorgectf
diff --git a/‎javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
Lines changed: 25 additions & 0 deletions b/‎javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.qhelp
Lines changed: 25 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
Lines changed: 20 additions & 0 deletions b/‎javascript/ql/src/experimental/Security/CWE-1004/CookieWithoutHttpOnly.ql
Lines changed: 20 additions & 0 deletions
diff --git a/‎javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
Lines changed: 1 addition & 1 deletion b/‎javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll
Lines changed: 0 additions & 148 deletions b/‎javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll
Lines changed: 0 additions & 148 deletions
@@ -0,0 +1,25 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Cookies without <code>HttpOnly</code> flag are accessible to JavaScript running in the same origin. In case of
+Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.</p>
+</overview>
+<recommendation>
+
+<p>Protect sensitive cookies, such as those related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
+them not accessible to JavaScript.</p>
+
+</recommendation>
+
+<references>
+
+<li>Production Best Practices: Security:<a href="https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely">Use cookies securely</a>.</li>
+<li>NodeJS security cheat sheet:<a href="https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately">Set cookie flags appropriately</a>.</li>
+<li>express-session:<a href="https://github.com/expressjs/session#cookiehttponly">cookie.httpOnly</a>.</li>
+<li>cookie-session:<a href="https://github.com/expressjs/cookie-session#cookie-options">Cookie Options</a>.</li>
+<li><a href="https://expressjs.com/en/api.html#res.cookie">express response.cookie</a>.</li>
+<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a>.</li>
+</references>
+</qhelp>
@@ -0,0 +1,20 @@
+/**
+ * @name 'HttpOnly' attribute is not set to true
+ * @description Omitting the 'HttpOnly' attribute for security sensitive cookie data allows
+ *              malicious JavaScript to steal it in case of XSS vulnerabilities. Always set
+ *              'HttpOnly' to 'true' for authentication related cookies to make them
+ *              inaccessible from JavaScript.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id js/cookie-httponly-not-set
+ * @tags security
+ *       external/cwe/cwe-1004
+ */
+
+import javascript
+import experimental.semmle.javascript.security.InsecureCookie::Cookie
+
+from Cookie cookie
+where cookie.isAuthNotHttpOnly()
+select cookie, "Cookie attribute 'HttpOnly' is not set to true for this sensitive cookie."
@@ -11,7 +11,7 @@
  */
 
 import javascript
-import InsecureCookie::Cookie
+import experimental.semmle.javascript.security.InsecureCookie::Cookie
 
 from Cookie cookie
 where not cookie.isSecure()