Am 14.09.2012 18:42, schrieb Andres Riancho: > Achim, > > On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann <webse...@sic-sec.org> wrote: ... >> What w3af can do is to provide a parameter where to specify cookie names >> to be ignored. But be prepared for a huge name-checking-nightmare as >> the same cookie name can be used in different realms on the same application >> and have different purposes there. > > Then we don't support that and avoid nightmares :)
IMHO listing all cookies as warning is a lean solution, better than having a sophisticated one with the risk (in w3af) of false negatives. A step to make the results more comfortable for (dumb:) w3af users might be to just name the session cookies which then can be highlighted as "high" insecure. Achim KISS - keep it simple stupid ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
