App Security Scanner reports Cookie not set as HTTPOnly for CSRF token

  • 7022673
  • 21-Feb-2018
  • 13-Mar-2018

Environment


Access Manager 4.4
Access Manager Admin Console

Situation

App scanner run against all NAM Administration Console and an alert is generated that the cookie HTTPOnly flag is not set for the /adminui path on the host.

Resolution

CSRF protection is built into NAM 4.4.1 and this is a false positive and does not effect the Admin Console. The reason for the flag was that CSRF protection cookie we set does not include the HTTPOnly flag, which the appscanner  picks up as a problem. In reality, this is not a vulnerability as follows the OWASP double submit cookie approach. The token is not secret and is available via JavaScript through the cookie, but only on the same domain, and could be used only on an authenticated session (JSESSIONID has to be present too which is protected).