Jump to content
  • 0

Insecure configuration of Cookie attributes


Question

Posted

Running version 4.2.1.  System has previously passed all PCI scans, until now.  CardPointe scanner is now returning a failing result, with the vulnerability listed as "Insecure configuration of Cookie attributes".  

The only additional info provided is a link to:  
https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

The site is running on IIS 8.5 with only port 443 bound, so everything should be over TLS 1.2.  Port 80 binding was removed.

Any idea how cookies are being passed insecurely?  Is there some communication via another method other than 443/TLS 1.2?  

Most importantly, what are suggestions on how to close this hole so the PCI scans pass?

1 answer to this question

Recommended Posts

  • 0
Posted
  On 8/24/2020 at 1:39 PM, rebus9 said:

Running version 4.2.1.  System has previously passed all PCI scans, until now.  CardPointe scanner is now returning a failing result, with the vulnerability listed as "Insecure configuration of Cookie attributes".  

The only additional info provided is a link to:  
https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

The site is running on IIS 8.5 with only port 443 bound, so everything should be over TLS 1.2.  Port 80 binding was removed.

Any idea how cookies are being passed insecurely?  Is there some communication via another method other than 443/TLS 1.2?  

Most importantly, what are suggestions on how to close this hole so the PCI scans pass?

Expand  

I believe they are looking for the secure cookie attribute, that makes the cookie unable to be sent over an unsecure connection. See https://www.itnota.com/enable-secure-httponly-cookies-iis/ for IIS, it should help you update your config in IIS to meet this requirement.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...