Re: [W3af-develop] HttpOnly cookies

Sat, 15 Sep 2012 08:36:03 -0700 

Achim, Daniel, Stephen, All,

    Just finished rewriting the HttpOnly stuff and also modified the
"secure" flag analysis that was already available in our grep plugin.
All the code can be found here [0] and the unitests are here [1].

    Could you guys please review my code? Note that I used the
COOKIE_FINGERPRINT for setting the severity for missing httponly
vulnerabilities ; and I'm reporting all cookies which have the missing
flag. Something else that would be interesting to analyze is the
HTTPONLY_RE, which passed my tests but I'm unsure of its
quality/performance.

    Thanks!

PS: Users will benefit from this when I merge threading2 branch with trunk.

[0] 
https://sourceforge.net/apps/trac/w3af/browser/branches/threading2/plugins/grep/analyze_cookies.py
[1] 
https://sourceforge.net/apps/trac/w3af/browser/branches/threading2/plugins/tests/grep/test_analyze_cookies.py

Regards,

On Fri, Sep 14, 2012 at 1:49 PM, Achim Hoffmann <webse...@sic-sec.org> wrote:
> Am 14.09.2012 18:42, schrieb Andres Riancho:
>> Achim,
>>
>> On Fri, Sep 14, 2012 at 1:18 PM, Achim Hoffmann <webse...@sic-sec.org> wrote:
> ...
>>> What w3af can do is to provide a parameter where to specify cookie names
>>> to be ignored. But be prepared for a huge name-checking-nightmare as
>>> the same cookie name can be used in different realms on the same application
>>> and have different purposes there.
>>
>> Then we don't support that and avoid nightmares :)
>
> IMHO listing all cookies as warning is a lean solution, better than having a
> sophisticated one with the risk (in w3af) of false negatives.
>
> A step to make the results more comfortable for (dumb:) w3af users might be to
> just name the session cookies which then can be highlighted as "high" 
> insecure.
>
> Achim
>
> KISS - keep it simple stupid



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3

------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to