Cookies are ubiquitous in today’s modern web applications. If an attacker can acquire a user’s session cookie by exploiting a cross-site scripting (XSS) vulnerability, by sniffing an unencrypted HTTP connection, or by some other means, then they can potentially hijack a user’s valid session. Obviously, this can have negative implications for an organization and its users, including theft of sensitive application data or unauthorized/harmful actions.
Qualys Web Application Scanning reports when it discovers a cookie delivered over an HTTPS channel without the “secure” attribute set. This detection is useful for verifying correct coding practices for individual web applications & developers, and across your entire organization. Cookies marked with the secure attribute will never be sent over an unencrypted (non-HTTPS) connection, which keeps them safe from prying eyes that may be sniffing network traffic.
On May 26th 2011, a new EU directive was adopted that requires web sites to gain consent from visitors before they can store cookies or other information used to track a user’s actions. While the EU Cookie legislation went into effect last year, the UK’s Information Commissioner’s Office (ICO) set May 26th of 2012 as the enforcement date. The ICO is the body responsible for enforcing the UK regulation, with authority to levy fines on web site owners up to £500,000.
A Better Way to Identify Cookies
In order to comply with the EU regulations and avoid the UK ICO fines, organizations need to understand what cookies their web sites are issuing and the conditions in which they are issued. Most web application scanning solutions will report the cookies that a web site is issuing. This includes cookies that may be issued by 3rd party sites that have embedded content commonly used to track users for marketing purposes. QualysGuard WAS has provided this information for some time via the Information Gathered (IG) QID 150028 (Cookies Collected). However, the way that the cookies are collected for QID 150028 as well as the way other web application scanners gather cookies may lead to the inclusion of cookies that were issued after the scanner automatically triggered the explicit user consent action. This is because web application scanners typically follow all links, including those that are most commonly used to obtain user consent. What organizations that wish to to gain a user’s explicit consent really need is a way to identify only the cookies that are issued without automatically issuing any user consent actions. In order to address this use case, QualysGuard WAS has implemented a new test (QID 150099), which avoids the most common user consent techniques while gathering cookies from the web site. In doing so, QualysGuard WAS provides organizations with information about the cookies they are issuing without the user’s consent.
Steps to Identify Cookies Issued Without User Consent
The best thing about the new test is that WAS includes it as a standard check during all scans run on or after 26 May, 2012. So organizations using WAS do not need to alter their scan configuration to take advantage of the new test.
To view the cookies issued without user consent in QualysGuard WAS, follow these steps:
1. Log into QualysGuard WAS v2 and navigate to the “Scans” tab.
2. Use the filter panel date selection on the lower left to filter scans to those run on or after 5/26/2012
3. Select the scan and using the quick action menu, choose “View Report”
4. Once the report is open, select the “Results” tab
5. In the filter panel on the left,check the box next to the ‘1’ in the “Information Gathered Levels” section
6. You should see a number of results that are level 1 Information Gathered (IG) items – click on the one with QID 150099. This will show you the cookies that were identified as being issued without any user consent.
Compliance with the Regulation
If you identify any cookies that are subject to the regulation that require user consent – the next step is to set up specific user consent prompts within the web site such that the user can make an informed decision whether to accept or reject the cookies that are being set. The implementation of this will usually take the form of a pop up dialog or prompt, but the actual implementation details will vary based on the organization.