Topic
  • 9 replies
  • Latest Post - ‏2013-02-27T08:36:22Z by SystemAdmin
SystemAdmin
SystemAdmin
403 Posts

Pinned topic Detection of cookie HttpOnly attribute

‏2012-07-25T03:41:19Z |
I have session cookie without value with HttpOnly attribute, i.e.:

Set-Cookie: Session=; path=/; HttpOnly

AppScan marks it like "Missing HttpOnly Attribute in Session Cookie".
AppScan version <8.00.0.2>.
Is it correct behavior?
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2012-07-25T05:38:08Z  
    It seems that AppScan doesn't detect HttpOnly attribute, because it marks and this one

    Set-Cookie: SessionId=2txgpt55pwlbxw55khyivaqz; path=/; HttpOnly
  • bbrazeau
    bbrazeau
    148 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2012-07-25T19:46:51Z  
    It seems that AppScan doesn't detect HttpOnly attribute, because it marks and this one

    Set-Cookie: SessionId=2txgpt55pwlbxw55khyivaqz; path=/; HttpOnly
    Hi,

    This is a known issue and is logged in the following link:

    http://www-01.ibm.com/support/docview.wss?uid=swg1PM49121

    This issue is resolved in the 8.6 version of AppScan Enterprise

    -B
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2012-07-25T21:52:29Z  
    Thanks for response.
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-24T03:29:13Z  
    • bbrazeau
    • ‏2012-07-25T19:46:51Z
    Hi,

    This is a known issue and is logged in the following link:

    http://www-01.ibm.com/support/docview.wss?uid=swg1PM49121

    This issue is resolved in the 8.6 version of AppScan Enterprise

    -B
    We faced the same issue with 'AppScan Standard 8.6.0.1, Rules: 1524' version. Could you let me know if this issue has been fixed in Standard version. If not, let us know how to get the fix.
  • warrenm1
    warrenm1
    224 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-26T16:16:01Z  
    We faced the same issue with 'AppScan Standard 8.6.0.1, Rules: 1524' version. Could you let me know if this issue has been fixed in Standard version. If not, let us know how to get the fix.
    Hi,

    Yes those issues were fixed some time ago. I'd suggest you verify it isn't legitimate, in some cases a scan may contain multiple requests/responses containing the cookie and some may contain HTTPOnly and others not. Check your Application data, login management and traffic log request/response data to ensure there isn't another request in there without it, if you can't find one open a pmr with Support.

    Regards,
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-26T18:44:36Z  
    • warrenm1
    • ‏2013-02-26T16:16:01Z
    Hi,

    Yes those issues were fixed some time ago. I'd suggest you verify it isn't legitimate, in some cases a scan may contain multiple requests/responses containing the cookie and some may contain HTTPOnly and others not. Check your Application data, login management and traffic log request/response data to ensure there isn't another request in there without it, if you can't find one open a pmr with Support.

    Regards,
    Thanks for the reply. I might need to open PMR.
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-26T19:47:04Z  
    Thanks for the reply. I might need to open PMR.
    Hi,

    A PMR was already created for this.
    This is a fix that required a code change, and not just a rules update.
    It has been fixed and will be released as part of AppScan 8.7.
    Fixed PMR link can be found here: http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PM81161

    Cheers,
    Shahar
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-26T20:48:23Z  
    Hi,

    A PMR was already created for this.
    This is a fix that required a code change, and not just a rules update.
    It has been fixed and will be released as part of AppScan 8.7.
    Fixed PMR link can be found here: http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PM81161

    Cheers,
    Shahar
    Details of the link is pointing to "PM81161: ASE: False Positive: Missing Secure Attribute", but not to httponly issue. Is httponly and secure attribute issues are fixed in 8.7?
  • SystemAdmin
    SystemAdmin
    403 Posts

    Re: Detection of cookie HttpOnly attribute

    ‏2013-02-27T08:36:22Z  
    Details of the link is pointing to "PM81161: ASE: False Positive: Missing Secure Attribute", but not to httponly issue. Is httponly and secure attribute issues are fixed in 8.7?
    Hi,

    Yes, sorry I haven't made it clear.
    They are two sides of the same problem.
    Both have been fixed for the 8.7 release.

    Shahar