Vulnerability in SharePoint environment

Krishna Sandeep Sangani 61 Reputation points
2022-11-14T15:09:16.957+00:00

Hi Team,
We have vulnerability issues in SharePoint 2016 environment, all patches are up to date.
Here is one among them,

Threat
The session cookie used to identify authenticated users of the Web application does not contain the "HTTPOnly" attribute.

Impact
Cookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal to session cookies which could lead to user impersonation or compromise of the application account.

Appreciate if any suggestions.
Thanks!

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,291 questions
SharePoint Development
SharePoint Development
SharePoint: A group of Microsoft Products and technologies used for sharing and managing content, knowledge, and applications.Development: The process of researching, productizing, and refining new or existing technologies.
2,789 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Tong Zhang_MSFT 9,141 Reputation points
    2022-11-15T06:53:24.507+00:00

    Hi @Krishna Sandeep Sangani ,

    According to my research, please try to set the "HttpOnly" attribute in session cookies. And here is a document for reference, please refer to it and fix: https://owasp.org/www-community/HttpOnly

    <session-config>  
       <cookie-config>  
        <http-only>true</http-only>  
       </cookie-config>  
    </session-config>  
    

    Hope it can help you. Thanks for your understanding.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.