Recently we had an external security scan and one of the things that was pointed out is the following:
4.5 Cookie not HTTP-Only
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
» Define all cookies as HTTP-only
Now I've done some searching but couldn't find a similar case to this question.
The firwall that is used:
Cisco ASA 5510
software version 8.2(3)
Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)
Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?
Here is the bugID for the above HTTP-Only cookie issue: CSCth55933
Pls kindly check on the explaination on further description:
While this is not a false positive, any vulnerability would be in the cross-site scripting attack and not in the lack of cookie protection through the use of the HttpOnly flag. This bug documents the investigation into cookie protection on the ASA.
The bug track is:
To fix for this potential vulnerability Cisco will need to update their ASA VPN software to support the HTTP Only flag (when rendering html with cookie's) . so far Cisco has not put a fix in and doesn't appear to have any plans to modify the IOS to support the HttpOnly flag.
Browsers have supported this flag for over a decade, yet, Cisco does not support it.
The resolution tried at my organization was to either upgrade the IOS or downgrade to AnyConnect 3.0. Downgrading AnyConnect was the easier route.
I am configuring AnyConnect for the first time on an ASA 5510 running 9.0(4) and encountering the same issue. Has anyone found a solution to the HTTP only flag on the cookie?