Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Arrowpoint cookie HTTP Only flag set.

Hi All,

I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?

Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.

Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.

Thanks in advance for your help.

Alfie...

2 REPLIES
Cisco Employee

Re: Arrowpoint cookie HTTP Only flag set.

Alfie,

your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.

However, you won't be able to attack the CSS with whatever method that works against a webserver.

We have our own onboard DOS feature.

So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.

Make sure the servers behind the CSS are protected and have your HTTPOnly flag.

Gilles.

New Member

Re: Arrowpoint cookie HTTP Only flag set.

Giles,

Thanks for taking the time to respond.

Our web servers are already configured as you suggest. As such I guess we are OK if the onboard features prevent this type of attack.

Best Regards,

Alfie

1026
Views
0
Helpful
2
Replies
CreatePlease to create content