What it is
Session cookies missing Secure / HttpOnly / SameSite, enabling theft via network sniffing, XSS, or CSRF.
How attackers abuse it
An attacker gets your page to run their JavaScript in your visitors' browsers. They can steal sessions, capture what users type, deface the page, or trick users into actions, all while it looks like your site.
Attacker playbook
- 1Find a spot where input is echoed back into the page (search, comments, profile fields).
- 2Inject a script payload and confirm it executes in the browser.
- 3Weaponize it to steal session cookies or perform actions as the victim.
How VibeSec detects and confirms it
VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and base the finding only on what your site already exposes publicly.
VibeSec native
If this is in your report: how to fix it
- Encode output for the right context (HTML, attribute, JS) so input renders as text, not code.
- Use a framework that escapes by default and avoid dangerous sinks like innerHTML.
- Add a Content Security Policy as a strong second layer of defense.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free// related capabilities