Sensitive Cookie Missing 'HTTPONLY' Attribute

Hi Bob,

 

 

If you can't upgrade to 11.x to use the 'HTTP::cookie httponly $cookiename enable' command, you could loop through the Set-Cookie headers and insert the httponly property:

 

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aft/2164062/asg/50/Default.aspx

 

 

Aaron

Hoolio...I checked out the link and it seems to be doing more than what I'm looking to do, so I attempted to strip it down a bit.. I came up with the following code, which seem to work ok, it came up as a vaild iRule

 

 

 

when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"
   foreach acookie $ck {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      }
   }
[\code]
I didn't do the Curl command before running this so to double check it was applying I ran it afterwards and was given this:

[root@LTM1:Active] config  curl -I http://test.domain.com
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:14:26 GMT
Server: Microsoft-IIS/6.0
Cache-Control: post-check=3600,pre-check=43200
X-Powered-By: ASP.NET
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 14971
Set-Cookie: ASP.NET_SessionId=qrjevsr5lk14uw45b1d4ghql; path=/; HttpOnly; HttpOnly
 

Since it's showing it twice indicates, at least to me, that the HTTPOnly is already being applied.  So I did a curl on another site that the irule wasn't being applied to but was listed in security scan results as a site that didn't have the HTTPOnly.. The results are below..

[root@LTM1:Active] config  curl -I http://domain.com                                     
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:22:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=m3u2q2rppvieexfm3o4mlwz4; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 18883

Based on what I'm seeing this is may be a false Positive, right?
Thanks,
Bob

Based on what I'm seeing this is may be a false Positive, right?doesn't audit have log to prove what they found?

anyway, to prevent adding duplicate httponly, you may check whether there is before adding.

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"
   foreach acookie $ck {
      if { [string tolower $acookie] contains "httponly" } {
         HTTP::header insert "Set-Cookie" "${acookie}"
      } else {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      }
   }
}
}

[root@ve10:Active] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:25 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/
Content-Type: text/html; charset=UTF-8

[root@ve10:Active] config  curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:54:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sat, 27 Oct 2012 03:22:35 GMT
ETag: "4183f3-59-f28f94c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo1=123456; path=/; HttpOnly
Set-Cookie: foo2=abcdef; path=/; HttpOnly

Thanks!! I did find that the audit was running the scan against the URL so it caused it to return a 302 redirect response

 

and the redirect response was where the HTTPOnly attribrute was missing from. With the addition of the if/else clause this resloved the problem.

 

 

Thanks again,

 

Bob