Hi ,
There is a low level vulnerability on Webseal cookie (PD_STATEFUL). I found a IBM notes where there is a process given to make it HTTPOnly using httptranformation rule.
https://www.ibm.com/support/pages/setting-pdstateful-cookie-secure Point-1: Every time Weabseal creates this cookie and generating cookie name. below are two values so far observed on same ISAM environment
PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf
PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf
I tried all possible ways using httptransformation rule to make this cookie HTTPOnly and Secure. Below is the httptranformation rule
<xsl:template match="//HTTPResponse/Cookies">
<xsl:if test="Cookie/@name='PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf'">
<Cookie action="update" name="PD_STATEFUL_8c02899c-abbd-11ea-b4f3-005056b1e0cf">
<Secure>1</Secure>
<HTTPOnly>0</HTTPOnly>
</Cookie>
</xsl:if>
</xsl:template>
<xsl:template match="//HTTPResponse/Cookies">
<xsl:if test="Cookie/@name='PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf'">
<Cookie action="update" name="PD_STATEFUL_8b012b34-abbd-11ea-b4f3-005056b1e0cf">
<Secure>1</Secure>
<HTTPOnly>0</HTTPOnly>
</Cookie>
</xsl:if>
</xsl:template>
I could see something in pdweb.http logs but the cookie is not becoming HTTPOnly and Secure. Tired in multiple ways (like httptranformation rule as HTTPRequestChange and HTTPResponseChange). But its not becoming HTTPOnly.
Then found another IBM Notes saying
It is not possible to modify the body of the request or response. Similarly, you cannot modify cookies or headers that are inserted by WebSEAL. For example, the Host, iv-user and iv-creds junction headers.Is it the case or there is a way still we can make the PD_STATEFUL Cookie HTTPOnly and Secure ?
Thanks,
Usman
------------------------------
UsmanAli Shaik
------------------------------