Hm, not sure I follow... I am not talking about what to call stuff, was
probably a bit vague, but on the topic of detecting session cookies, my answer
is : no expiration. And then some edgecases. Or did I misunderstand your
question?
Skickat från min iPhone
16 sep 2012 kl. 16:53 skrev Andres R
Martin,
I understand the concept, but could you specify which lines of
code in the plugin you would modify and how? Maybe it is something
like :
"""
In all vulnerability descriptions, if the cookie is a session cookie,
don't call it "cookie" call it "session cookie", example:
if expires:
I'd primarily call all cookies with no expiration session cookies - those gets
cleared when the browser close down. Edge cases are persistent 'session
cookies', eg used when the user selected 'remember me'... But those maybe can
be detected at login?
/Martin
Skickat från min iPhone
14 sep 2012
Achim, Daniel, Stephen, All,
Just finished rewriting the HttpOnly stuff and also modified the
"secure" flag analysis that was already available in our grep plugin.
All the code can be found here [0] and the unitests are here [1].
Could you guys please review my code? Note that I used the
Am 14.09.2012 18:42, schrieb Andres Riancho:
> Achim,
>
> On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann wrote:
...
>> What w3af can do is to provide a parameter where to specify cookie names
>> to be ignored. But be prepared for a huge name-checking-nightmare as
>> the same cookie name can be u
Achim,
On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann wrote:
> I'd qualify any cookie without httponly flag as "finding", at least a warning.
Agreed,
> The developer, or the application owner needs to select those which need it
> and those which don't.
+1 again,
> Even if it is "only a track
Daniel,
On Fri, Sep 14, 2012 at 12:32 PM, Daniel Zulla wrote:
> Hmm. Do you think it is impossible to write a session cookie detector?
Not sure, but if I'm going to use it for something that's not
life/dead, I don't care about false positives (but do care about false
negatives).
On twitter I ju
I'd qualify any cookie without httponly flag as "finding", at least a warning.
The developer, or the application owner needs to select those which need it
and those which don't.
Even if it is "only a tracking" cookie, modification of the value may be
harmful somewhere.
What w3af can do is to pro
Hmm. Do you think it is impossible to write a session cookie detector?
Generally - Sessions sort of look the same, across all languages,
frameworks and usecases: [a-zA-Z0-9_-]+
The only challenge would be look for a pattern, e.g.:
- [a-z], [A-Z], [0-9], - and _ need to alternate at least after ev
On Fri, Sep 14, 2012 at 12:08 PM, Stephen Breen wrote:
> I agree,
>
> As a tester if I find an XSS flaw I would like to know what cookies I can
> access directly. When reporting though I only ever report session cookies
> that were not marked as HTTPOnly, the rest aren't usually worth noting.
@St
I agree,
As a tester if I find an XSS flaw I would like to know what cookies I can
access directly. When reporting though I only ever report session cookies
that were not marked as HTTPOnly, the rest aren't usually worth noting.
On Fri, Sep 14, 2012 at 10:59 AM, Andres Riancho
wrote:
> Stephen,
Stephen,
On Fri, Sep 14, 2012 at 11:51 AM, Stephen Breen wrote:
> I think it's difficult to identify this,
Agreed, but if we would live in a world where we could identify which
cookies are for session handling and which for "other stuff"; would
you say that the ideas expressed in the previous em
I think it's difficult to identify this, maybe they should all be logged as
informational.
Plenty of applications use custom session tokens, it wouldn't be possible
to separate these from other types of cookie.
On Fri, Sep 14, 2012 at 10:46 AM, Andres Riancho
wrote:
> List,
>
> Yesterday I f
List,
Yesterday I found out that w3af doesn't have a plugin that
verifies if cookies have the httponly flag or not; so I decided to
write it (it was going to be a 2min task) and then I asked myself: "Do
all cookies need to be httponly? What's the use case where a developer
needs to access a co
14 matches
Mail list logo
