This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_s
Explorer
‎2024-07-09 01:07 PM

Cookie Does Not Contain The "HTTPOnly" Attribute port 4434/tcp

A few days ago we did a vulnerability test on the Gateway and it was reported that the cookie does not contain the "HTTPOnly" attribute.
This can cause the following:
"Cookies without the "HTTPOnly" attribute are allowed to be accessed via JavaScript. Cross-site scripting attacks can steal cookies, which could result in user impersonation or compromise the application account."

Any recommendations on how to fix this vulnerability???

 

Also a second vulnerability related to the previous one:
Cookie Does Not Contain The "secure" Attribute port 4434/tcp

The impact:
Cookies with the "secure" attribute can only be sent over HTTPS. Cookies sent over HTTP expose an unsuspecting user to tracking attacks that could result in user impersonation or compromise the application account.

Any suggestions?

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2024-07-10 10:07 AM

For this to be exploitable, we would have to allow the appliance to be manageable over HTTP.
There is no supported configuration to enable this.
Therefore, this vulnerability is not really applicable.

If you need to add these headers for compliance reasons, see: https://support.checkpoint.com/results/sk/sk158252
Don't believe this applies to Quantum Spark appliances.
In which case, I would consult with the TAC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events