STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222576r508029_rule
V-222576
SRG-APP-000219
APSC-DV-002220
CAT II
10
Configure the application to ensure the secure flag is set on session cookies.
Review the application documentation and interview the application administrator to identify when session cookies are created.
If vulnerability scan results are available, reference the most recent vulnerability scan results.
Verify that the scan configuration includes checks for the secure flag on session cookies. If scan configuration settings are not available, follow the manual procedure provided below.
Review the scan results and determine if the secure flag not being set was identified as a vulnerability.
To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie.
The procedures used for viewing and clearing browser cookies will vary based upon the web browser used. Providing steps for every browser is outside the scope of the STIG. There are numerous sites that document how to view cookies using various web browsers.
For IE11:
Alt-X >> Internet options >> General >> Settings >> View Files
A windows explorer box will open that contains the contents of the Temporary Internet Files. Browse the folder and locate the application session cookie(s). View the contents of the cookie(s).
If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.
V-222576
False
APSC-DV-002220
Review the application documentation and interview the application administrator to identify when session cookies are created.
If vulnerability scan results are available, reference the most recent vulnerability scan results.
Verify that the scan configuration includes checks for the secure flag on session cookies. If scan configuration settings are not available, follow the manual procedure provided below.
Review the scan results and determine if the secure flag not being set was identified as a vulnerability.
To manually perform the check, open a web browser, logon to the web application and use the web browser to view the new session cookie.
The procedures used for viewing and clearing browser cookies will vary based upon the web browser used. Providing steps for every browser is outside the scope of the STIG. There are numerous sites that document how to view cookies using various web browsers.
For IE11:
Alt-X >> Internet options >> General >> Settings >> View Files
A windows explorer box will open that contains the contents of the Temporary Internet Files. Browse the folder and locate the application session cookie(s). View the contents of the cookie(s).
If the "secure" flag is not set on the session cookie, or if the vulnerability scan results indicate the application does not set the secure flag on cookies, this is a finding.
M
4093