EDR: Is it a vulnerability within the _xsrf_token cookie not having the "HttpOnly" flag set?
search cancel

EDR: Is it a vulnerability within the _xsrf_token cookie not having the "HttpOnly" flag set?

book

Article ID: 289107

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Is it a vulnerability within the _xsrf_token cookie not having the "HttpOnly" flag set?

Environment

  • EDR Server: 7.4.2 and Higher
  • Vulnerability scan against EDR server

Resolution

No, product changed labeled CB-30453, added in 7.4.2-srv version, enables the "HttpOnly" flag for the session cookie "session" issued by the application server upon successful log in by a user. Now, there is no need to enable HTTPOnly for the _xsrf_token cookie.