Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Cadet 3rd Class
Cadet 3rd Class
191 views

Give false positives for httpCookies Setting in web.config

I'm scanning a web app and get results for the web.config file regarding the httpCookies setting. The sourceanalyzer seems very syntax specific. This is annoying because this single rule violation causing 7 findings on a DISA STIG report. So, this is seven findings that I have to explain away. This is work that I'd rather not have to do.

Is there a command line option to ease the syntax for this particular rule? If not, how about how to ignore this rule?

Usually, I run something like OWASP ZAP, nikto, or Skipfish to look at live web server settings.

Note: I had to escape the forward slash to make this post? 

sourceanalyzer doesn't like this

<httpCookies httpOnlyCookies="true" requireSSL="true"\/>

sourceanalyzer doesn't like this

<httpCookies httpOnlyCookies="true"\/>

Fortify likes this (no slash towards the end of the tag)

<httpCookies httpOnlyCookies="true">

 

I am using:

Fortify Static Code Analyzer 20.1.0.0158

16:16:01 Fortify Secure Coding Rules, Core, ABAP v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core Preview, ABAP v2014.4.0.0008
16:16:01 Fortify Secure Coding Rules, Core, ActionScript 3.0 v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Android v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Annotations v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Apex v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, ColdFusion v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, COBOL v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, C/C++ v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, .NET v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Golang v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Java v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, JavaScript v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Kotlin v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Objective-C v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, PHP v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Python v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Ruby v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Scala v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, SQL v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Swift v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Swift 2 v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Core, Classic ASP, VBScript, and VB6 v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, Configuration v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, Content v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, C/C++ v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, .NET v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, Java v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, JavaScript v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, JSP v2020.4.0.0007
16:16:01 Fortify Secure Coding Rules, Extended, SQL v2020.4.0.0007

 

0 Likes
1 Reply
Knowledge Partner Knowledge Partner
Knowledge Partner

I know this isn't ideal, but have you tried creating a closing tag versus the short trailing slash at the end of the tag and see how the scanner reacts?

For instance

< / httpCookies >

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.