AshuA_246482
Nov 29, 2017Nimbostratus
cookie & requestVerificationToken is set without the HttpOnly Cookie parameter
Pen test finding below: How to set cookie & requestVerificationToken with the HttpOnly Cookie parameter on LTM running on 11.6
Risk : When a cross-site scripting vulnerability is present, an attacker may unnecessarily be able to retrieve sensitive information from cookies.
Recommendation: Supply the HttpOnly cookie parameter when the server sets a cookie through Set-Cookie.
I have found how to set HttpOnly with i-rule but not sure what is RequestVerificationToken >
Can sonmeone please help me with RequestVerficationToken what is this and how to fix it?