Am 14.09.2012 18:42, schrieb Andres Riancho:
> Achim,
>
> On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann wrote:
...
>> What w3af can do is to provide a parameter where to specify cookie names
>> to be ignored. But be prepared for a huge name-checking-nightmare as
>> the same cookie name can be u
Achim,
On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann wrote:
> I'd qualify any cookie without httponly flag as "finding", at least a warning.
Agreed,
> The developer, or the application owner needs to select those which need it
> and those which don't.
+1 again,
> Even if it is "only a track
Daniel,
On Fri, Sep 14, 2012 at 12:32 PM, Daniel Zulla wrote:
> Hmm. Do you think it is impossible to write a session cookie detector?
Not sure, but if I'm going to use it for something that's not
life/dead, I don't care about false positives (but do care about false
negatives).
On twitter I ju
I'd qualify any cookie without httponly flag as "finding", at least a warning.
The developer, or the application owner needs to select those which need it
and those which don't.
Even if it is "only a tracking" cookie, modification of the value may be
harmful somewhere.
What w3af can do is to pro
Hmm. Do you think it is impossible to write a session cookie detector?
Generally - Sessions sort of look the same, across all languages,
frameworks and usecases: [a-zA-Z0-9_-]+
The only challenge would be look for a pattern, e.g.:
- [a-z], [A-Z], [0-9], - and _ need to alternate at least after ev
On Fri, Sep 14, 2012 at 12:08 PM, Stephen Breen wrote:
> I agree,
>
> As a tester if I find an XSS flaw I would like to know what cookies I can
> access directly. When reporting though I only ever report session cookies
> that were not marked as HTTPOnly, the rest aren't usually worth noting.
@St
I agree,
As a tester if I find an XSS flaw I would like to know what cookies I can
access directly. When reporting though I only ever report session cookies
that were not marked as HTTPOnly, the rest aren't usually worth noting.
On Fri, Sep 14, 2012 at 10:59 AM, Andres Riancho
wrote:
> Stephen,
Stephen,
On Fri, Sep 14, 2012 at 11:51 AM, Stephen Breen wrote:
> I think it's difficult to identify this,
Agreed, but if we would live in a world where we could identify which
cookies are for session handling and which for "other stuff"; would
you say that the ideas expressed in the previous em
I think it's difficult to identify this, maybe they should all be logged as
informational.
Plenty of applications use custom session tokens, it wouldn't be possible
to separate these from other types of cookie.
On Fri, Sep 14, 2012 at 10:46 AM, Andres Riancho
wrote:
> List,
>
> Yesterday I f
List,
Yesterday I found out that w3af doesn't have a plugin that
verifies if cookies have the httponly flag or not; so I decided to
write it (it was going to be a 2min task) and then I asked myself: "Do
all cookies need to be httponly? What's the use case where a developer
needs to access a co
10 matches
Mail list logo
