I run vulnerability scans that sometimes show positive for one vulnerability or another.
A recent vulnerability scan came up positive: "High: Missing `httpOnly` Cookie Attribute".:
Release : 3.3
Component : PRIVILEGED ACCESS MANAGEMENT
The HttpOnly vulnerability is described as follows: HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). ... When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server.
During vulnerability scans, this particular issue can cause false positives for certain URLs. You can check the problem by using a browser to test. You can use either IE or Chrome. In both browsers there are tools that can show you whether the browsing is actually protecting you.
To check for a vulnerability in your Chrome browser:
1- log into the url for the CAPAM address that had the issue.
2- click on the three vertical dots to the right in the browser bar.
3- select "More Tools/Developer Tools and a developer screen opens at the bottom of your screen.
4- If it is not already on the Application tab, select the Application tab.
5- in the left hand side, go down to Storage/Cookies and click on the arrow at Cookies so that the arrow is pointing down, and proceed to log into CAPAM.
6- the url for your CAPAM should appear under cookies, click on that url.
7- the result will show results of JSESSIONID (JSON) and PHPSESSID (PHP) for checked for HttpOnly and checked for Secure as well, meaning it is protected.
See the attached screenshot of the Chrome screen with the results of the Tools/Cookies page:
To use IE11 browser in the same way as Chrome, here is a procedure that will give you some similar output, but is not as informative as Chrome:
Results may vary due to the version of CAPAM, and the patch level installed. You may see a positive that actually is a vulnerability which means if you see your are not protected in the browser you are probably vulnerable. You would check the released patches for a fix or you may need to upgrade.