03-15-2013 03:21 AM - edited 03-11-2019 06:14 PM
Hi all,
Recently we had an external security scan and one of the things that was pointed out is the following:
4.5 Cookie not HTTP-Only
Targets: **.**.**.**
The web application sent a cookie that is not marked HTTP-Only. This allows the
cookie to be manipulated by client-side code (java,
javascript, actionscript, etc.) which could leave the site vulnerable to Cross-Site
Scripting vulnerabilities.
» Define all cookies as HTTP-only
Now I've done some searching but couldn't find a similar case to this question.
The firwall that is used:
Cisco ASA 5510
software version 8.2(3)
ASDM: 6.3(4)
Used feature that causes the cookie error (I've inspected the cookie object with Chrome and noticed that the HTTP-Only feature was indeed not enabled on this site/feature): AnyConnect (& AnyConnect Essentials)
Does anyone know if it's possible to even set the HTTP-Only mark in the cookie by yourself, or do you rely on a software update?
Regards