Insecure configuration of Cookie attributes

[rebus9]

Running version 4.2.1.  System has previously passed all PCI scans, until now.  CardPointe scanner is now returning a failing result, with the vulnerability listed as "Insecure configuration of Cookie attributes".  

The only additional info provided is a link to:  https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

The site is running on IIS 8.5 with only port 443 bound, so everything should be over TLS 1.2.  Port 80 binding was removed.

Any idea how cookies are being passed insecurely?  Is there some communication via another method other than 443/TLS 1.2?  

Most importantly, what are suggestions on how to close this hole so the PCI scans pass?

[Paul]

  On 8/24/2020 at 1:39 PM, rebus9 said:

Running version 4.2.1.  System has previously passed all PCI scans, until now.  CardPointe scanner is now returning a failing result, with the vulnerability listed as "Insecure configuration of Cookie attributes".  

The only additional info provided is a link to:  https://wiki.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

The site is running on IIS 8.5 with only port 443 bound, so everything should be over TLS 1.2.  Port 80 binding was removed.

Any idea how cookies are being passed insecurely?  Is there some communication via another method other than 443/TLS 1.2?  

Most importantly, what are suggestions on how to close this hole so the PCI scans pass?

Expand  

I believe they are looking for the secure cookie attribute, that makes the cookie unable to be sent over an unsecure connection. See https://www.itnota.com/enable-secure-httponly-cookies-iis/ for IIS, it should help you update your config in IIS to meet this requirement.