Re: [W3af-develop] HttpOnly cookies

Fri, 14 Sep 2012 07:52:09 -0700 

I think it's difficult to identify this, maybe they should all be logged as
informational.

Plenty of applications use custom session tokens, it wouldn't be possible
to separate these from other types of cookie.

On Fri, Sep 14, 2012 at 10:46 AM, Andres Riancho
<andres.rian...@gmail.com>wrote:

> List,
>
>     Yesterday I found out that w3af doesn't have a plugin that
> verifies if cookies have the httponly flag or not; so I decided to
> write it (it was going to be a 2min task) and then I asked myself: "Do
> all cookies need to be httponly? What's the use case where a developer
> needs to access a cookie from within javascript?"
>
>     I think I solved this, but I need your advice on this:
>         * All session cookies (PHPSESSID, etc.) need to be httponly,
> since there is no use case for a developer to access the cookie from
> javascript; and if he's doing it... he's doing something wrong.
>
>         * All other cookies (the ones that are used for tracking,
> language, etc.) don't need to be httponly, but it is recommended they
> are. There might be some cases where the JS developer wants to access
> the cookie that holds the language to show A or B; so that use case we
> can't flag as insecure nor incorrect.
>
>     Ideas?
>
> Regards,
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>

------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to