FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nkortas
Staff
Staff
Article Id 191807

Description
When performing a vulnerability scan on the FortiGate, the vulnerability scanner can report that SECURE and 'HTTPOnly' flags are missing from the cookie when the request is going to HTTPS web management page.

Missing HTTPOnly flag from cookie.

- The usage of 'HTTPOnly' flag is to prevent client side scripting languages (Javascript, VBscript, Actionscript) to access to cookie.

- This flag is useful when the web application is vulnerable to vulnerability such as Cross Site Scripting (XSS).

- Typically, if the web application is vulnerable to XSS, a hacker can inject client side scripting languages to the web application to access to cookie.

- This flag will prevent the client side scripting languages to access to the cookie.

Missing SECURE flag from cookie.

- The usage of SECURE flag is to make the browser only send the cookie via HTTPS.
Solution
For FortiOS versions 5.2.0 and above, 'HTTPOnly' flag is added by default to the session cookie.

For FortiOS versions 5.6.3 and above, if 'HTTPS' and 'admin-https-redirect' are enabled, SECURE flag will be added to all cookies by default.

To enable 'HTTPS' and 'admin-https-redirect', follow these steps:
 
1) Allow 'HTTPS' access to the GUI.

Change this setting for individual interfaces by going to Network -> Interfaces and adjusting the administrative access to each interface.

From the CLI.

# config system interface
    edit <interface-name>
        set allowaccess https ssh
    end   

2) Re-direct 'HTTP GUI' logins to 'HTTPS'.

Go to System -> Settings -> Administrator Settings and enable Redirect to 'HTTPS' to make sure that all attempted HTTP login connections are redirected to 'HTTPS'.

From the CLI.

# config system global
    set admin-https-redirect enable
end

SECURE and 'HTTPOnly' flags will not be added to all cookies.
The reason behind this is that adding those flags will break the existing behavior of the FortiOS graphical user interface.

Nevertheless, it does not mean that the FortiGate is vulnerable as additional checks are being performed on the cookie to protect it, including and not limited to source IP validation.
In fact, if an attacker attempts to copy the cookie from one PC to another, FortiGate will reject it if the source IP does not match.

For general security best practices, consider:

- Disabling access to the FortiGate from the Internet if not needed.

- Utilizing dialup IPSEC vpn or SSLVPN if access to the FortiGate from Internet is needed.

- Recommending to only allow access to the FortiGate from a LAN network.

- Setting trusted hosts so that only trusted sources can access to the FortiGate.

- Disabling insecure protocols such as HTTP and TELNET.

Related links:

[1] https://www.keycdn.com/support/what-is-mime-sniffing
[2] http://pwndizzle.blogspot.com/2015/07/xss-extensions-and-content-types.html
[3] https://blogs.msdn.microsoft.com/ie/2010/10/26/mime-handling-changes-in-internet-explorer/


 

 

Contributors