Topic
9 replies Latest Post - ‏2013-02-27T08:36:22Z by SystemAdmin
SystemAdmin
SystemAdmin
403 Posts
ACCEPTED ANSWER

Pinned topic Detection of cookie HttpOnly attribute

‏2012-07-25T03:41:19Z |
I have session cookie without value with HttpOnly attribute, i.e.:

Set-Cookie: Session=; path=/; HttpOnly

AppScan marks it like "Missing HttpOnly Attribute in Session Cookie".
AppScan version <8.00.0.2>.
Is it correct behavior?
Updated on 2013-02-27T08:36:22Z at 2013-02-27T08:36:22Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    403 Posts
    ACCEPTED ANSWER

    Re: Detection of cookie HttpOnly attribute

    ‏2012-07-25T05:38:08Z  in response to SystemAdmin
    It seems that AppScan doesn't detect HttpOnly attribute, because it marks and this one

    Set-Cookie: SessionId=2txgpt55pwlbxw55khyivaqz; path=/; HttpOnly
    • bbrazeau
      bbrazeau
      148 Posts
      ACCEPTED ANSWER

      Re: Detection of cookie HttpOnly attribute

      ‏2012-07-25T19:46:51Z  in response to SystemAdmin
      Hi,

      This is a known issue and is logged in the following link:

      http://www-01.ibm.com/support/docview.wss?uid=swg1PM49121

      This issue is resolved in the 8.6 version of AppScan Enterprise

      -B
      • SystemAdmin
        SystemAdmin
        403 Posts
        ACCEPTED ANSWER

        Re: Detection of cookie HttpOnly attribute

        ‏2013-02-24T03:29:13Z  in response to bbrazeau
        We faced the same issue with 'AppScan Standard 8.6.0.1, Rules: 1524' version. Could you let me know if this issue has been fixed in Standard version. If not, let us know how to get the fix.
        • warrenm1
          warrenm1
          224 Posts
          ACCEPTED ANSWER

          Re: Detection of cookie HttpOnly attribute

          ‏2013-02-26T16:16:01Z  in response to SystemAdmin
          Hi,

          Yes those issues were fixed some time ago. I'd suggest you verify it isn't legitimate, in some cases a scan may contain multiple requests/responses containing the cookie and some may contain HTTPOnly and others not. Check your Application data, login management and traffic log request/response data to ensure there isn't another request in there without it, if you can't find one open a pmr with Support.

          Regards,
          • SystemAdmin
            SystemAdmin
            403 Posts
            ACCEPTED ANSWER

            Re: Detection of cookie HttpOnly attribute

            ‏2013-02-26T18:44:36Z  in response to warrenm1
            Thanks for the reply. I might need to open PMR.
            • SystemAdmin
              SystemAdmin
              403 Posts
              ACCEPTED ANSWER

              Re: Detection of cookie HttpOnly attribute

              ‏2013-02-26T19:47:04Z  in response to SystemAdmin
              Hi,

              A PMR was already created for this.
              This is a fix that required a code change, and not just a rules update.
              It has been fixed and will be released as part of AppScan 8.7.
              Fixed PMR link can be found here: http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PM81161

              Cheers,
              Shahar
              • SystemAdmin
                SystemAdmin
                403 Posts
                ACCEPTED ANSWER

                Re: Detection of cookie HttpOnly attribute

                ‏2013-02-26T20:48:23Z  in response to SystemAdmin
                Details of the link is pointing to "PM81161: ASE: False Positive: Missing Secure Attribute", but not to httponly issue. Is httponly and secure attribute issues are fixed in 8.7?
                • SystemAdmin
                  SystemAdmin
                  403 Posts
                  ACCEPTED ANSWER

                  Re: Detection of cookie HttpOnly attribute

                  ‏2013-02-27T08:36:22Z  in response to SystemAdmin
                  Hi,

                  Yes, sorry I haven't made it clear.
                  They are two sides of the same problem.
                  Both have been fixed for the 8.7 release.

                  Shahar
  • SystemAdmin
    SystemAdmin
    403 Posts
    ACCEPTED ANSWER

    Re: Detection of cookie HttpOnly attribute

    ‏2012-07-25T21:52:29Z  in response to SystemAdmin
    Thanks for response.