NimbostratusWe had a pen test get done on newly deployed application. and one of their finding is
When cookies are set which are used on the encrypted (HTTPS) part of the website, the Secure cookie parameter is not supplied.
Nimbostratus2 These cookies are used on the encrypted (HTTPS) part of the website. Because they are not marked as Secure, these cookies will also be sent through unencrypted connections to the server. 3.When cookies are transmitted over an unencrypted connection, and an attacker is able to place himself between a victim's browser and the web server, the attacker will be able to intercept the contents of the cookies. 4.Supply the cookie parameter Secure when setting a cookie intended for the part of the application where encryption is used.
How to fix this finding ?
NimbostratusAnother finding : cookie & requestVerificationToken is set without the HttpOnly Cookie parameter
question : How to set cookie & requestVerificationToken with the HttpOnly Cookie parameter on LTM running on 11.6 Risk : When a cross-site scripting vulnerability is present, an attacker may unnecessarily be able to retrieve sensitive information from cookies. Recommendation: Supply the HttpOnly cookie parameter when the server sets a cookie through Set-Cookie.
CumulonimbusIf you cannot update the back end application/web server to add them can do the following in an iRule in the Response.
when HTTP_RESPONSE {
if {[HTTP::cookie exists “newappcookie”]} {
HTTP::cookie secure “newappcookie” enable
HTTP::cookie httponly “newappcookie” enable
}
}
Might also be able to do it using a Policy.
You might also need to set the cookie version to 0 with the following line before setting secure and httponly flags
HTTP::cookie version “newappcookie” 0
Test it with and without see which works.