Why the Secure Cookie Attribute Matters in Application Security on OWASP Compliance

Listen to this Post

Have you ever wondered why some security scans flag cookies as missing the “Secure” attribute? It’s a simple issue but one that can leave your application exposed.

🚨 Cookies without the Secure flag can be sent over HTTP and HTTPS. If a user accidentally / intentionally accesses your site over HTTP, their cookies, including session token cookies, WILL be transmitted in plain text.

If an attacker sniffs the network, they can steal these cookies and hijack the session. At this point, the application is exposed to many OWASP issues and risks.

✅ Session Hijacking

✅ Man-in-the-Middle (MITM) Attacks

✅ Session Fixation

Adding the “Secure” attribute fixes the problem and drastically improves the application’s security.

This is to achieve on the F5; add a cookie entity with the same name as the cookie you want to protect. Simple as the four steps below.

1️⃣ Create a cookie entity in F5 ASM that matches the name you want to protect.
2️⃣ Enable the Secure Attribute by checking the box.
3️⃣ Enable HttpOnly (optional but recommended for extra protection).

4️⃣ Apply the Policy.

Anytime the application sends the “Set-Cookie” header for the ASM-protected cookie – then the Flag will be set on the F5.

No need to wait for months for a developer application fix; it takes 5 minutes with the F5 ASM Module.

You Should Know:

Here are some practical commands and codes to secure cookies and enhance application security:

Linux Commands for Secure Cookie Management:

1. Check for Secure Flag in Cookies:

Use `curl` to inspect cookies:

curl -I -v https://example.com

Look for `Set-Cookie` headers and ensure they include the `Secure` attribute.

2. Enable Secure Flag in Apache:

Edit your Apache configuration file (`httpd.conf` or `apache2.conf`):

<IfModule mod_headers.c>
Header edit Set-Cookie ^(.*)$ "$1; Secure"
</IfModule>

3. Enable Secure Flag in Nginx:

Add the following to your Nginx configuration:

add_header Set-Cookie "Path=/; HttpOnly; Secure";

4. Test SSL/TLS Configuration:

Use `openssl` to test your server’s SSL/TLS configuration:

openssl s_client -connect example.com:443 -tls1_2

Windows Commands for Secure Cookie Management:

1. Check for Secure Cookies in IIS:

Use PowerShell to verify cookie settings:

Get-WebConfigurationProperty -Filter /system.web/httpCookies -Name requireSSL

Ensure `requireSSL` is set to `True`.

2. Enable Secure Cookies in IIS:

Use the following PowerShell command:

Set-WebConfigurationProperty -Filter /system.web/httpCookies -Name requireSSL -Value True

3. Test SSL/TLS on Windows:

Use `Test-NetConnection` to verify SSL/TLS connectivity:

Test-NetConnection -ComputerName example.com -Port 443

F5 BIG-IP Commands:

1. Enable Secure Attribute on F5 ASM:

Use the following TMSH command:

tmsh modify /security/application-security policy <policy_name> cookies add { <cookie_name> { secure enabled } }

2. Verify Cookie Settings:

Check the cookie configuration:

tmsh list /security/application-security policy <policy_name> cookies

What Undercode Say:

Securing cookies with the `Secure` attribute is a critical step in protecting applications from session hijacking and MITM attacks. By implementing the steps above, you can ensure that cookies are only transmitted over HTTPS, reducing the risk of exposure. Additionally, leveraging tools like F5 ASM, Apache, Nginx, and IIS can simplify the process of enforcing secure cookie policies. Always test your configurations using tools like curl, openssl, and PowerShell to ensure compliance with OWASP standards. Remember, a small change like enabling the `Secure` flag can have a significant impact on your application’s security posture.

For more details on OWASP compliance, visit: OWASP Secure Flag.

References:

Reported By: Grahammattingley F5 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅Featured Image