EDR: Is it a vulnerability within the _xsrf_token cookie not having the "HttpOnly" flag set?
book
Article ID: 289107
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Is it a vulnerability within the _xsrf_token cookie not having the "HttpOnly" flag set?
Environment
EDR Server: 7.4.2 and Higher
Vulnerability scan against EDR server
Resolution
No, product changed labeled CB-30453, added in 7.4.2-srv version, enables the "HttpOnly" flag for the session cookie "session" issued by the application server upon successful log in by a user. Now, there is no need to enable HTTPOnly for the _xsrf_token cookie.