← Back to F5 BIG-IP Device Management Security Technical Implementation Guide

V-230217

CAT III (Low)

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set.

Rule ID

SV-230217r961620_rule

STIG

F5 BIG-IP Device Management Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-002385

Discussion

The HttpOnly attribute directs browsers to use cookies by way of the HTTP and HTTPS protocols only, ensuring that the cookie is not available by other means, such as JavaScript function calls. This setting mitigates the risk of attack utilizing Cross Site Scripting (XSS). This vulnerability allows an attacker to impersonate any authenticated user that has visited a page with the attack deployed, allowing them to potentially allowing the user to raise their permissions level. The vulnerability can be mitigated by setting HTTPOnly on the appropriate Access Policy.

Check Content

If the BIG-IP ASM module is not used to support user authentication, this is not applicable.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables
Verify cookie_httponly_attr is set to 1.

If the BIG-IP appliance is being used to authenticate users for web applications, the HTTPOnly flag must be set, this is a finding.

Fix Text

Configure a policy in the BIG-IP ASM module to enable the HTTPonly flag.

Log in to the Configuration utility.

Navigate to Security >> Options >> Application Security >> Advanced Configuration >> System Variables

Create the variable cookie_httponly_attr.
Set the Parameter to 1.