03-15-2013 03:21 AM - edited 03-11-2019 06:14 PM
Hi all,
Recently we had an external security scan and one of the things that was pointed out is the following:
4.5 Cookie not HTTP-Only
Targets: **.**.**.**
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
javascript, actionscript, etc.) which could leave the site vulnerable to Cross-Site
Scripting vulnerabilities.
» Define all cookies as HTTP-only
Now I've done some searching but couldn't find a similar case to this question.
The firwall that is used:
Cisco ASA 5510
software version 8.2(3)
ASDM: 6.3(4)
Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)
Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?
Regards
03-17-2013 02:30 PM
Here is the bugID for the above HTTP-Only cookie issue: CSCth55933
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth55933
Pls kindly check on the explaination on further description:
While this is not a false positive, any vulnerability would be in the cross-site scripting attack and not in the lack of cookie protection through the use of the HttpOnly flag. This bug documents the investigation into cookie protection on the ASA.
07-30-2013 12:51 AM
I have read the content of the link, but it points to using the "Next Generation software" is the version 9 series next generation?
08-12-2013 04:10 PM
We are running ver 8.2(5)41 on 5520 and internal security scan pointed same vulnerability. Is there a fix for this bug?
02-25-2016 01:37 PM
The bug track is:
https://tools.cisco.com/bugsearch/bug/CSCuc23836
To fix for this potential vulnerability Cisco will need to update their ASA VPN software to support the HTTP Only flag (when rendering html with cookie's) . so far Cisco has not put a fix in and doesn't appear to have any plans to modify the IOS to support the HttpOnly flag.
Browsers have supported this flag for over a decade, yet, Cisco does not support it.
https://www.owasp.org/index.php/HttpOnly
09-20-2013 08:10 AM
This link is not good anymore. Is there any fix to the PCI DSS failure?
12-05-2013 03:32 PM
Cisco, any updates on this?
12-05-2013 04:13 PM
The resolution tried at my organization was to either upgrade the IOS or downgrade to AnyConnect 3.0. Downgrading AnyConnect was the easier route.
01-20-2015 06:37 AM
I am configuring AnyConnect for the first time on an ASA 5510 running 9.0(4) and encountering the same issue. Has anyone found a solution to the HTTP only flag on the cookie?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: