Hi, have already reported this at the bugtracker:
http://wald.intevation.org/tracker/index.php?func=detail&aid=6533&group_id=29&atid=220 but after my last mail to openvas-discuss i want to report this in here: Hi, from my understanding the regex used in secpod_ssl_cookie_secure_flag_info_disc_vuln.nasl to detect cookies with a missing "Secure" cookie flag is far from complete. When using the setcookie() function of PHP in a test environment like this: setcookie("secure_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 0); the following cookie is set by the application: Set-Cookie: secure_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; Max-Age=3600; path=/; domain=127.0.0.1; secure The regex "[S|s]ecure;?[^a-zA-Z0-9_-]+" used by the NVT is only checking for the following syntax: Secure; secure; but misses the: ; secure syntax above which leads to false positives. Additional if the application is setting more than one cookie like this: setcookie("secure_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 0); setcookie("httponly_cookie", "test", time()+3600, "/", "127.0.0.1", 0, 1); setcookie("secure_httponly_cookie", "test", time()+3600, "/", "127.0.0.1", 1, 1); resulting in this response: Set-Cookie: secure_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; Max-Age=3600; path=/; domain=127.0.0.1; secure Set-Cookie: httponly_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; Max-Age=3600; path=/; domain=127.0.0.1; httponly Set-Cookie: secure_httponly_cookie=test; expires=Fri, 16-May-2014 11:34:04 GMT; Max-Age=3600; path=/; domain=127.0.0.1; secure; httponly Even if the regex above would be correct this is causing a false negative as the script is only catching all three "Set-Cookies" as one single line. _______________________________________________ Openvas-plugins mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
