Detections
Analytics
F5BI-DM-000290 - If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.
Information
The HttpOnly attribute directs browsers to use cookies by way of the HTTP and HTTPS protocols only, ensuring that the cookie is not available by other means, such as JavaScript function calls. This setting mitigates the risk of attack utilizing Cross Site Scripting (XSS). This vulnerability allows an attacker to impersonate any authenticated user that has visited a page with the attack deployed, allowing them to potentially allowing the user to raise their permissions level. The vulnerability can be mitigated by setting HTTPOnly on the appropriate Access Policy.NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Configure a policy in the BIG-IP ASM module to enable the HTTPonly flag.Log in to the Configuration utility.
Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables
Create the variable cookie_httponly_attr.
Set the Parameter to 1.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_Y25M01_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP Device Management STIG v2r4
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|III, CCI|CCI-002385, Rule-ID|SV-230217r961620_rule, STIG-ID|F5BI-DM-000290, Vuln-ID|V-230217
Plugin: F5
Control ID: 1cd07811beff59bdeed16621e09d48454cc9a0f866bd026710949353e6e7be1a