Forum Discussion

AshuA_246482's avatar
AshuA_246482
Icon for Nimbostratus rankNimbostratus
Nov 29, 2017

cookie & requestVerificationToken is set without the HttpOnly Cookie parameter

Pen test finding below: How to set cookie & requestVerificationToken with the HttpOnly Cookie parameter on LTM running on 11.6

 

Risk : When a cross-site scripting vulnerability is present, an attacker may unnecessarily be able to retrieve sensitive information from cookies.

 

Recommendation: Supply the HttpOnly cookie parameter when the server sets a cookie through Set-Cookie.

 

I have found how to set HttpOnly with i-rule but not sure what is RequestVerificationToken >

 

Can sonmeone please help me with RequestVerficationToken what is this and how to fix it?