Problem

Vulnerability scan reports that ST sets cookies without “HttpOnly” Flag

Resolution

The HTTPOnly flag changes the Web browser's behavior to deny access to cookies to scripts or thrid party plugins running on the page. It does not enforce any security but solely relies on the web browsers to respect it.

SecureTransport (ST) Web Access Plus (WAP), also known as Rich Internet Client (RIC) for versions up to 5.1.x, is a Java based skin and applet for web browser based file management in ST. Therefore being a scrip/applet it becomes a subject of the HTTPOnly flag.

In order to create a session on user log in the WAP (RIC) requires access to the session id stored in browser cookies.

Setting the HTTPOnly flag on ST server side prevents WAP (RIC) from accessing the session id and therefore breaks it.

In order to assure WAP (RIC) proper operation, the HTTPOnly flag should remain unset.

With the above said, HTTPOnly flag security concern is secondary to others due to relying on the client to respect it. Not setting the HTTPOnly flag is considered a remote concerning possibility if a malicious script could be executed in a browser through a primary vulnerability, such as Cross Site Scripting (XSS). In such theoretical event, the session id within the user's session cookie could be stolen. With that said, even in the unlikely event of user's session id being stolen, there would be no immediate thread to the SecureTransport server itself. In such (unlikely event), there is a need for executing a separate session hijacking attack with the potentially stolen session id, if an attacker is to to access that specific session.

If ST server administrators are concerned of possible hijicking attempts, there are certain preventative measures, including modifying the session idle timeout on the SecureTransport Server.

Modifying this timeout and lowering its value will significantly limit the window of opportunity that the potentially intercepted session id can be reused by a malicious 3rd party.

NOTE: With the release of ST 5.3.0, Axway introduced a new and feature rich Web Access Plus (WAP) functionality that allows for running it within full HTML5 support and without Java applet execution. Running WAP this way will introduce a minor decrease in the functionality that remains dependent on the Java applet. Nevertheless, given Axway's desire to assure full and enriching customer experience with WAP, we recommend that the Java applet is not disabled, which in turn requires the HTTPOnly flag to remain unset. More information on the full WAP functionality in ST 5.3.0 and the differences running it with or without Java applet is available in ST's Web Client Users Guide.