Q: NetScaler VPX appliances failed an external Qualys scan with the following info:

QID: 150122 Severity: 2 CVSS Base: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N CVSS Temporal: 5.8 E:F/RL:W/RC:C PCI Compliance Status: FAIL •
The QID adheres to the PCI requirements based on the CVSS basescore. Category: Web Application Port/Service: 443 / Web Application (tcp) False Positive: N/A Bugtraq ID: - CVE ID: - Vendor Reference: - Last Update: 10/19/2015 at 00:00:00 Threat: The cookie does not contain the "secure" attribute. Based on the latest release of the PCI-DSS, this vulnerability is a PCI Fail. PCI-DSSv3.1 requirement 6.5.10 is focused on secure session management, and refers to session cookies needing to have the "secure" attribute set within the Cardholder Data Environment. Refer to PCI-DSSv3.1 for details. Impact: Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.

A:If the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.

The following are the cookies being set in response by the NetScaler Gateway:
Set-Cookie: NSC_TMAA=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT
Set-Cookie: NSC_TMAS=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;Secure

NSC_TMAA is the equivalent of the NSC_TMAS and is sent without the secure flag for the client to use it over HTTP [Plain Text] if required. When the user is authenticated on NetScaler, these 2 cookies will be set. These 2 cookies are important, since they verify that the user is authenticated.

The above Set-Cookie response is as per design of the NetScaler and hence it is an expected behavior.

Q: The rewrite request action "HTTP.REQ.COOKIE.VALUE("NSC_TMAA")" returns empty string on NetScaler 11.0. This was not the case with NetScaler 10.1 and earlier. How do you read the value of the cookie NSC_TMAA on NetScaler?

A: 11.0 onward, The user's session cookie is no longer accessible to rewrite and other modules. Therefore cannot insert the session cookie as an HTTP header and send it to back-end servers. 

[ISSUE ID: 0593256] This change provides an alternative way to check for AAA cookie presence by using HTTP.REQ.USER.SESSIONID expression. It results in a non-empty string if an AAA session exists. This is equivalent to checking for a valid AAA cookie.

CTX124630 - Best Practices and Configuration of COOKIEINSERT Persistence on NetScaler