• HttpOnly Not Set

    One of the most common web application security findings we see during testing is the lack of the HttpOnly flag on session cookies. As web application pentesters, we love this finding because it is so easy to find and it assures us of at least one finding during testing. (more…)