cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16077
Views
0
Helpful
8
Replies

[ASA5510] Cisco AnyConnect - Cookie not HTTP-Only

Hi all,

Recently we had an external security scan and one of the things that was pointed out is the following:

4.5 Cookie not HTTP-Only
Targets: **.**.**.**
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
javascript, actionscript, etc.) which could leave the site vulnerable to Cross-Site
Scripting vulnerabilities.
» Define all cookies as HTTP-only

Now I've done some searching but couldn't find a similar case to this question.

The firwall that is used:

Cisco ASA 5510

software version 8.2(3)

ASDM: 6.3(4)

Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)

Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?

Regards

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Here is the bugID for the above HTTP-Only cookie issue: CSCth55933

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth55933

Pls kindly check on the explaination on further description:

While this is not a false positive, any vulnerability would be in the  cross-site scripting attack and not in the lack of cookie protection  through the use of the HttpOnly flag. This bug documents the  investigation into cookie protection on the ASA.

I have read the content of the link, but it points to using the "Next Generation software" is the version 9 series next generation?

We are running ver 8.2(5)41 on 5520 and internal security scan pointed same vulnerability. Is there a fix for this bug?

The bug track is:

https://tools.cisco.com/bugsearch/bug/CSCuc23836

To fix for this potential vulnerability Cisco will need to update their ASA VPN software to support the HTTP Only flag (when rendering html with cookie's) .  so far Cisco has not put a fix in and doesn't appear to have any plans to modify the IOS to support the HttpOnly flag.

Browsers have supported this flag for over a decade, yet, Cisco does not support it.

https://www.owasp.org/index.php/HttpOnly

This link is not good anymore. Is there any fix to the PCI DSS failure?

Cisco, any updates on this?

The resolution tried at my organization was to either upgrade the IOS or downgrade to AnyConnect 3.0. Downgrading AnyConnect was the easier route.

gchevalley
Level 1
Level 1

I am configuring AnyConnect for the first time on an ASA 5510 running 9.0(4) and encountering the same issue.  Has anyone found a solution to the HTTP only flag on the cookie?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: