STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must set the HTTPOnly flag on session cookies.

DISA Rule

SV-222575r508029_rule

Vulnerability Number

V-222575

Group Title

SRG-APP-000219

Rule Version

APSC-DV-002210

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to set the HTTPOnly flag on session cookies.

Check Contents

Review the application documentation and interview the application administrator to identify when session cookies are created.

Identify any mitigating controls the application developer may have implemented. Examples include utilizing a separate Web Application Firewall that is configured to provide this capability or configuring the web server with Mod_Security or ESAPI WAF with the HTTPOnly flag directives enabled.

Reference the most recent vulnerability scan documentation.

Verify the configuration settings for the scan include web application checks including HTTPOnly tests.

Review the scan results and determine if vulnerabilities related to HTTPOnly flag not being set for session cookies have been identified.

Utilize a web browser or other web application diagnostic tool to view the session cookies the application sets on the client.

Internet Explorer versions 8, 9, and 10 includes a utility called Developer tools.

Access the application website and establish an application session.

Access the page that sets the session cookie.

Press “F12” to open Developer Tools.

Select "cache" and then "view cookie information".

Identify the session cookies. An example of an HTTPOnly session cookie is as follows:

Set-Cookie: SessionId=z5ymkk45aworjo2l31tlhqqv; path=/; HttpOnly

If the application does not set the HTTPOnly flag on session cookies or if the application administrator cannot demonstrate mitigating controls, this is a finding.

Vulnerability Number

V-222575

Documentable

False

Rule Version

APSC-DV-002210

Severity Override Guidance

Review the application documentation and interview the application administrator to identify when session cookies are created.

Identify any mitigating controls the application developer may have implemented. Examples include utilizing a separate Web Application Firewall that is configured to provide this capability or configuring the web server with Mod_Security or ESAPI WAF with the HTTPOnly flag directives enabled.

Reference the most recent vulnerability scan documentation.

Verify the configuration settings for the scan include web application checks including HTTPOnly tests.

Review the scan results and determine if vulnerabilities related to HTTPOnly flag not being set for session cookies have been identified.

Utilize a web browser or other web application diagnostic tool to view the session cookies the application sets on the client.

Internet Explorer versions 8, 9, and 10 includes a utility called Developer tools.

Access the application website and establish an application session.

Access the page that sets the session cookie.

Press “F12” to open Developer Tools.

Select "cache" and then "view cookie information".

Identify the session cookies. An example of an HTTPOnly session cookie is as follows:

Set-Cookie: SessionId=z5ymkk45aworjo2l31tlhqqv; path=/; HttpOnly

If the application does not set the HTTPOnly flag on session cookies or if the application administrator cannot demonstrate mitigating controls, this is a finding.

Check Content Reference

M

Target Key

4093

Comments