Applies To:
All versions of Trust Protection Platform 16.2 and earlier
Summary:
Observation:
Cookie without "httponly" flag set / Missing "httponly" Attribute in Session Cookie
Potential Vulnerability:
If the "httponly" attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Common Recommendation:
There is usually no good reason not to set the "httponly" flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Setcookie directive. You should be aware that the restrictions imposed by the "httponly" flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
More Info:
Venafi Resolution:
Venafi does not use the "httponly" flag to prevent any CSRF (Cross Site Request Forgery) attacks.
Instead, to prevent possible CSRF attacks on our WebAdmin console, we implemented an industry standard fix. The fix required that the Venafi JavaScript code have the ability to read our cookie. In order to modify our cookie in real time we could not set the "httponly" flag. However, this same fix prevents anyone but Director from modifying our cookie - similar to what the "httponly" flag would accomplish.
Comments