A SOC team at a major financial institution detects unauthorized access attempts on its web...

The focus on cookie attributes (HttpOnly, Secure, SameSite) strongly aligns with session security and session integrity. These attributes are designed to protect session cookies from being stolen or misused: HttpOnly limits JavaScript access to cookies, Secure restricts cookies to HTTPS, and SameSite reduces cross-site request risks. When investigators assess these settings, they are often evaluating whether session tokens could be manipulated, injected, fixed, or abused—behaviors consistent with session poisoning and related session attacks. While XSS can be used to steal cookies, the investigation described is not centered on injected script payloads in application responses; it is centered on cookie security posture and abnormal request patterns tied to sessions. SQL injection is primarily about manipulating database queries and would be investigated through query-related payloads and database error patterns rather than cookie attribute review. MITM attacks can intercept session cookies if transport security is weak, but the question emphasizes cookie attribute weaknesses and anomalous session request patterns—more directly associated with session poisoning/session hijacking analysis. In SOC response, confirming session attack vectors typically leads to rotating session secrets, invalidating active sessions, tightening cookie flags, enforcing TLS, and adding anomaly detection for session token reuse and impossible travel.