Vulnerability scan shows positive for HttpOnly cookie, but is actually a false positive

book

Article ID: 142478

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

I run vulnerability scans that sometimes show positive for one vulnerability or another. 

A recent vulnerability scan came up positive: "High: Missing `httpOnly` Cookie Attribute".

Risk:High
Application:https 

Port:443 

Protocol:tcp 

ScriptID:105925 

Vulnerability Detection Result: 

The cookies: 

Set-Cookiefromindexphp=***replaced***; path=/; Secure are missing the "httpOnly" attribute.
CVSS Base Vector:

AV:N/AC:L/Au:N/C:P/I:N/A:N 

InsightThe flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks. 

Affected Software/OS: Application with session handling in cookies. 

Vulnerability Detection Method: Check all cookies sent by the application for a missing 'httpOnly' attribute 

Summary:The application is missing the 'httpOnly' cookie attribute 

SolutionSet the 'httpOnly' attribute for any session cookie. 

Cause

The HttpOnly vulnerability is described as follows:  HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). ... When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server.

During vulnerability scans, this particular issue can cause false positives for certain URLs.  You can check the problem by using a browser to test.  You can use either IE or Chrome.  In both browsers there are tools that can show you whether the browsing is actually protecting you.  

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

To check for a vulnerability in your Chrome browser:

1- log into the url for the CAPAM address that had the issue.

2- click on the three vertical dots to the right in the browser bar.

3- select "More Tools/Developer Tools and a developer screen opens at the bottom of your screen.

4- If it is not already on the Application tab, select the Application tab.

5- in the left hand side, go down to Storage/Cookies and click on the arrow at Cookies so that the arrow is pointing down, and proceed to log into CAPAM.

6- the url for your CAPAM should appear under cookies, click on that url.

7- the result will show results of JSESSIONID (JSON) and PHPSESSID (PHP) for checked for HttpOnly and checked for Secure as well, meaning it is protected.

 

See the attached screenshot of the Chrome screen with the results of the Tools/Cookies page:

 

To use IE11 browser in the same way as Chrome, here is a procedure that will give you some similar output, but is not as informative as Chrome:

https://stackoverflow.com/questions/21006062/ie-11-cookies-in-developer-tools

 

Additional Information

Results may vary due to the version of CAPAM, and the patch level installed. You may see a positive that actually is a vulnerability which means if you see your are not protected in the browser you are probably vulnerable.  You would check the released patches for a fix or you may need to upgrade.

Attachments