We use McAfee to do our PCI Compliance scanning. They are currently saying they found an issue with our NopCommerce site. Is anyone else seeing this? Has anyone else fixed this issue? Here is the issue text:
The application does not utilize HTTP-only cookies. This is a new security feature introduced by Microsoft in IE 6 SP1 to mitigate the possibility of successful Cross-site Scripting attacks by not allowing cookies with the "HttpOnly" flag to be accessed via client-side scripts.
An attacker can easily steal a user's session if the attacker is able to manipulate the JavaScript. This vulnerability has a very high security impact if the site is also vulnerable to Cross Site Scripting (XSS).
If anyone knows where in the code to fix this and can help I'd appreciate it.
Sensitive Cookie Missing 'HTTPONLY' Attribute - PCI Compliance
- 33
- 335
- 2009/6/2
- United States
I was able to get this fixed. I downloaded the source code and opened it in Visual Studio. I built the solution so that the files in the web folder would have a reference point and I could tell which dll's were affected by the date and time on the dll. Then I used the search function to search the solution for all occurences of httpcookie. I found 2 spots in the code where a new cookie was created, but httponly was not set to true. It must default to false. I added one line of code setting the cookie attribute httponly equal to true. I then built the solution and went into the web folder and grabbed the dll's which had a date time of when I did the build. i copied these to my nopCommerce websites. I marked my pci failures as fixed with McAfee and had them rescan my sites. The problem was fixed.
团队成员
- 16616
- 155915
- 2008/10/22
- Armenia
Thanks a lot for reporting and info on how to fix it. I've just created a work item for this task