Cookie Does Not Contain HTTPOnly Attribute Security Vulnerability

Posted bydineshpanjwani 32 Comments on Cookie Does Not Contain HTTPOnly Attribute Security Vulnerability

During QUALYS Web Application Scanning of user system like Oracle Fusion (Integration layer), if one is facing the below security vulnerability, then follow the steps mentioned in the solution.

ID and Name

150123 and Cookie Does Not Contain The “HTTPOnly” Attribute

Threat

The cookie does not contain the “HTTPOnly” attribute.

Impact

Cookies without the “HTTPOnly” attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.

Solution

  • Go to below location of Oracle Fusion server: /<Env_Name>/products/middleware/<Server_Name>/server/lib/consoleapp/webapp/WEB-INF
  • Edit File Name:  weblogic.xml
  • Add tag within existing “<session-descriptor>”: <http-only>true</http-only>

NOTE: Please restart Admin and all the other SOA and OSB managed servers, post the above changes.

Join the Conversation

  1. Pranita Wagh's avatar
  2. Rashmi Singh's avatar
  3. Antony Joseph's avatar
  4. Saborni Das's avatar
  5. mohsin shaikh's avatar
  6. Sheetal Saji's avatar

32 Comments

  1. Reply
  2. Reply
  3. Reply
  4. Reply
  5. Reply
  6. Reply
  7. Reply
  8. Reply
  9. Reply
  10. Reply
  11. Reply
  12. Reply
  13. Reply
  14. Reply
  15. Reply
  16. Reply
  17. Reply
  18. Reply
  19. Reply
  20. Reply
  21. Reply
  22. Reply
  23. Reply
  24. Reply
  25. Reply
  26. Reply
  27. Reply
  28. Reply
  29. Reply
  30. Reply
  31. Reply

  32. Keep your posts coming, it’s always a pleasure to read how you overcome the day to day issues and more

    Like

    Reply

Leave a comment

Design a site like this with WordPress.com
Get started