Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1295
Views
0
Helpful
2
Replies

Arrowpoint cookie HTTP Only flag set.

alfiesummers
Level 1
Level 1

‎01-23-2008 08:53 AM

Hi All,

I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?

Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.

Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.

Thanks in advance for your help.

Alfie...

Labels:
0 Helpful
2 Replies 2

Gilles Dufour
Cisco Employee
Cisco Employee

‎01-23-2008 11:08 PM

Alfie,

your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.

However, you won't be able to attack the CSS with whatever method that works against a webserver.

We have our own onboard DOS feature.

So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.

Make sure the servers behind the CSS are protected and have your HTTPOnly flag.

Gilles.

0 Helpful

alfiesummers
Level 1
Level 1
In response to Gilles Dufour

‎01-24-2008 02:02 AM

Giles,

Thanks for taking the time to respond.

Our web servers are already configured as you suggest. As such I guess we are OK if the onboard features prevent this type of attack.

Best Regards,

Alfie

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card