03-15-2013 03:21 AM - edited 03-11-2019 06:14 PM
Hi all,
Recently we had an external security scan and one of the things that was pointed out is the following:
4.5 Cookie not HTTP-Only
Targets: **.**.**.**
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
javascript, actionscript, etc.) which could leave the site vulnerable to Cross-Site
Scripting vulnerabilities.
» Define all cookies as HTTP-only
Now I've done some searching but couldn't find a similar case to this question.
The firwall that is used:
Cisco ASA 5510
software version 8.2(3)
ASDM: 6.3(4)
Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)
Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?
Regards
03-17-2013 02:30 PM
Here is the bugID for the above HTTP-Only cookie issue: CSCth55933
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth55933
Pls kindly check on the explaination on further description:
While this is not a false positive, any vulnerability would be in the cross-site scripting attack and not in the lack of cookie protection through the use of the HttpOnly flag. This bug documents the investigation into cookie protection on the ASA.
07-30-2013 12:51 AM
I have read the content of the link, but it points to using the "Next Generation software" is the version 9 series next generation?
08-12-2013 04:10 PM
We are running ver 8.2(5)41 on 5520 and internal security scan pointed same vulnerability. Is there a fix for this bug?
02-25-2016 01:37 PM
The bug track is:
https://tools.cisco.com/bugsearch/bug/CSCuc23836
To fix for this potential vulnerability Cisco will need to update their ASA VPN software to support the HTTP Only flag (when rendering html with cookie's) . so far Cisco has not put a fix in and doesn't appear to have any plans to modify the IOS to support the HttpOnly flag.
Browsers have supported this flag for over a decade, yet, Cisco does not support it.
https://www.owasp.org/index.php/HttpOnly
09-20-2013 08:10 AM
This link is not good anymore. Is there any fix to the PCI DSS failure?
12-05-2013 03:32 PM
Cisco, any updates on this?
12-05-2013 04:13 PM
The resolution tried at my organization was to either upgrade the IOS or downgrade to AnyConnect 3.0. Downgrading AnyConnect was the easier route.
01-20-2015 06:37 AM
I am configuring AnyConnect for the first time on an ASA 5510 running 9.0(4) and encountering the same issue. Has anyone found a solution to the HTTP only flag on the cookie?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide